b'Semiannual Report to Congress\n\n\n\n\n   October 1, 2009-March 31, 2010\n\x0cOIG VISION\n\xe2\x80\x9cWe are agents of positive change striving for continuous\nimprovement in our agency\xe2\x80\x99s management and program operations.\xe2\x80\x9d\n\n\n\nNRC-OIG MISSION\nNRC-OIG\xe2\x80\x99s mission is to (1) independently and objectively conduct\nand supervise audits and investigations relating to NRC\xe2\x80\x99s programs and\noperations; (2) prevent and detect fraud, waste, and abuse,\nand (3) promote economy, efficiency, and effectiveness in NRC\xe2\x80\x99s\nprograms and operations.\n\n\n\n\nCover photo: Pilgrim Nuclear Power Station near\nPlymouth MA. (photo courtesy of Entergy Nuclear\nGeneration Co.)\n\x0cA Message From\nThe Inspector General\nI am pleased to present this Semiannual Report to Congress on the activities and\naccomplishments of the Nuclear Regulatory Commission (NRC) Office of the\nInspector General (OIG) from October 1, 2009, to March 31, 2010.\n\nOur work reflects the legislative mandate of the Inspector General Act, which\nis to identify and prevent fraud, waste, and abuse through the conduct of audits\nand investigations relating to NRC programs and operations. The audits and investigations highlighted\nin this report demonstrate our commitment to fulfilling this mission. As the Nation embarks upon a\nrenewed interest in nuclear power, my office will continue to work with NRC staff to promote\nefficiency and effectiveness in the administration of NRC programs.\n\nDuring this reporting period, the NRC OIG continued its focus on critical agency operations to include\nquality assurance planning for new reactors, the physical security inspection program for Category I\nfuel cycle facilities, and the NRC lessons learned program. Working with the NRC to identify potential\nshortcomings early on will afford the agency the opportunity to take any necessary corrective action.\n\nDuring this semiannual reporting period, we issued 11 program audit reports and analyzed one\ncontract audit report. As a result of this work, OIG made a number of recommendations to improve\nthe effective and efficient operation of NRC\xe2\x80\x99s safety, security, and corporate management programs.\nOIG also opened 19 investigations, and completed 17 cases. Eight of the open cases were referred to the\nDepartment of Justice, and 20 allegations were referred to NRC management for action.\n\nThe NRC OIG remains committed to the integrity, efficiency, and effectiveness of NRC programs and\noperations, and our audits, investigations, and other activities highlighted in this report demonstrate\nthis ongoing commitment. Those efforts were recently recognized with the granting of two Awards for\nExcellence by the Council of the Inspectors General on Integrity and Efficiency to an audit team and\na senior special agent. I commend their noteworthy achievements in carrying out the mission of the\nInspector General.\n\nMy office is dedicated to maintaining the highest possible standards of professionalism and quality in\nits audits and investigations. I would like to acknowledge our auditors, investigators, and support staff\nfor their superior work and commitment to the mission of our office.\n\nFinally, NRC OIG\xe2\x80\x99s success would not be possible without the collaborative efforts between my staff\nand agency managers to address OIG findings and to implement the corrective actions recommended\nby my office. I thank them for their dedication and support, and I look forward to their continued\ncooperation as we work together to ensure the integrity of agency operations.\n\n\n\nHubert T. Bell\nInspector General\n\n\n\n                                                                        October 1, 2009-March 31, 2010 | i\n\x0c                                             The Cerenkov Effect. Photo courtesy Ohio State University\n\n\nii | NRC OIG Semiannual Report to Congress\n\x0cContents\n   Highlights  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  v\n   Overview of the NRC and the OIG  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  1\n   \t     NRC\xe2\x80\x99s Mission  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 1\n   \t     OIG History, Mission, and Goals .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  2\n   \t\t          Inspector General History .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  2\n   \t\t          OIG Mission and Goals .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3\n   OIG Programs and Activities .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4\n   \t     Audit Program  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4\n   \t     Investigative Program  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\n   \t     General Counsel Activities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 6\n   \t\t          Regulatory Review  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  6\n   \t     OIG Activities .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 10\n   \t\t          Support of the Inspector General Community in Training  .  .  .  .  .  . 10\n   \t     Other Activities .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 10\n   \t\t          NRC OIG Receives CIGIE Awards for Excellence  .  .  .  .  .  .  .  .  .  .  . 10\n   Management and Performance Challenges  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 13\n   Audits \t .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 14\n   \t     Audit Summaries .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 14\n   \t     Audits in Progress  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 27\n   Investigations .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 33\n   \t     Investigative Case Summaries .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 33\n   Summary of OIG Accomplishments .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 38\n   \t     Investigative Statistics  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 38\n   \t     Audit Listings .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 40\n   Audit Resolution Activities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 42\n   Abbreviations and Acronyms  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 45\n   Reporting Requirements  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 46\n\n\n\n\n                                                                                              October 1, 2009-March 31, 2010 | iii\n\x0c  Pilgrim Nuclear Power Station, located near Plymouth Mass. Photo courtesy of Entergy Nuclear Generation Co.\n\n\niv | NRC OIG Semiannual Report to Congress\n\x0cHighlights\nThe following two sections highlight selected audits and investigations completed\nduring this reporting period. More detailed summaries appear in subsequent\nsections of this report.\n\nAUDITS\n\xe2\x80\xa2 \t Social engineering is the practice of obtaining confidential information\n    through manipulation of legitimate users. Social engineers will commonly\n    use the telephone or Internet to trick a person into revealing sensitive\n    information or getting them to do something that is against typical\n    policies, exploiting the natural tendency of individuals to trust others.\n    The evaluation objective was to assess the effectiveness of agency security\n    policies and control measures protecting sensitive information technology\n    systems against a social engineering attack.\n\n\xe2\x80\xa2 \t The Atomic Energy Act of 1954, as amended, requires all NRC employees\n    to have a security clearance, but allows employees to begin working for\n    NRC prior to obtaining their clearance \xe2\x80\x94 provided the Commission\n    determines that such employment is in the national interest and the\n    employee does not have access to classified information. The NRC\n    personnel security clearance program strives to implement measures to\n    ensure that agency staff can be trusted to work with and protect classified\n    information and to prevent the hiring of employees who might be untrust-\n    worthy or unsuitable for Federal employment. The audit objective was to\n    determine whether (1) NRC is in compliance with external and internal\n    personnel security clearance requirements, and (2) NRC\xe2\x80\x99s personnel\n    security clearance program is efficiently managed.\n\n\xe2\x80\xa2 \t The Chief Financial Officers Act of 1990, as amended, requires the\n    Inspector General or an independent external auditor, as determined by\n    the Inspector General, to annually audit NRC\xe2\x80\x99s financial statements to\n    determine whether the agency\xe2\x80\x99s financial statements are free of material\n    misstatement. An independent public accounting firm conducted the audit\n    with OIG oversight.\n\n\xe2\x80\xa2 \t The Federal Information Security Management Act (FISMA) of 2002\n    was enacted on December 17, 2002. FISMA outlines the information\n    security management requirements for agencies, which include an annual\n    independent evaluation of an agency\xe2\x80\x99s information security program and\n    practices to determine their effectiveness. The objective of this review was\n    to perform an independent evaluation of NRC\xe2\x80\x99s implementation of FISMA\n    for fiscal year (FY) 2009.\n\n\n                                                                    October 1, 2009-March 31, 2010 | v\n\x0c                   \xe2\x80\xa2 \t In August 2006, the agency issued Management Directive (MD) 6.8,\n                       Lessons Learned Program, to establish the formal and structured process\n                       needed to manage corrective actions for significant agencywide lessons\n                       learned. This directive establishes the process for screening, evaluating, and\n                       implementing potential agencywide lessons learned. The audit objective\n                       was to determine whether NRC\xe2\x80\x99s agencywide Lessons Learned Program\n                       meets its intended purpose to ensure that knowledge gained from signifi-\n                       cant lessons learned is retained and disseminated in a manner that will\n                       maximize its benefit and usefulness to the staff.\n\n                   \xe2\x80\xa2 \t NRC regulates the design, siting, construction, and operation of nuclear\n                       power plants. Title 10 Code of Federal Regulations Part 52 (Part 52)\n                       establishes the process to apply for a combined license, which, if approved\n                       by the NRC, allows the applicant to construct and operate a nuclear power\n                       plant. Under Part 52, each combined license applicant is required to submit\n                       a final safety analysis report that describes the facility and presents a safety\n                       analysis of the facility as a whole. This report must include a description of\n                       the applicant\xe2\x80\x99s quality assurance program to be applied to the design, fabri-\n                       cation, construction, and testing of the structures, systems, and compo-\n                       nents of the facility. The Office of New Reactors is responsible for reviewing\n                       combined license applications. The audit objective was to determine the\n                       extent to which NRC provides oversight of applicant and licensee new\n                       nuclear power plant quality assurance programs.\n\n                   \xe2\x80\xa2 \t NRC oversees security programs at facilities that manufacture fuel for\n                       nuclear reactors. These fuel cycle facilities use \xe2\x80\x9cspecial nuclear materials\xe2\x80\x9d in\n                       the manufacturing process. NRC classifies special nuclear materials\n                       and the facilities that possess them into three categories based upon the\n                       materials\xe2\x80\x99 potential for use in nuclear weapons, or \xe2\x80\x9cstrategic significance.\xe2\x80\x9d\n                       The audit objective was to assess the effectiveness of the NRC\xe2\x80\x99s physical\n                       security inspection program over the protection and control of special\n                       nuclear material at Category I fuel cycle facilities, which are considered\n                       the most strategically significant.\n\n\n\n\nvi | NRC OIG Semiannual Report to Congress\n\x0cINVESTIGATIONS\n\xe2\x80\xa2 \t OIG conducted an investigation based on an allegation from a former\n    NRC employee concerning the appointment of an individual to serve\n    as the Patients\xe2\x80\x99 Right Advocate to NRC\xe2\x80\x99s Advisory Committee on the\n    Medical Uses of Isotopes. The alleger asserted that NRC staff forwarded\n    the individual\xe2\x80\x99s name to the Commission for approval without conveying\n    certain information that would have demonstrated that the individual was\n    not an appropriate choice for the Patients\xe2\x80\x99 Right Advocate position.\n\n\xe2\x80\xa2 \t OIG conducted an investigation into an attempted network intrusion\n    based on a notification from the NRC Computer Security Office that a\n    user uploaded password cracking software onto the NRC Agencywide\n    Documents Access Management System (ADAMS) Citrix server.\n\n\xe2\x80\xa2 \t OIG conducted an investigation into a spear phishing attack in which\n    17 NRC computer users were targeted. The e-mail contained a link to a\n    Web site that initiated the download of the malicious software. NRC users\n    launched the link and downloaded the malicious software.\n\n\xe2\x80\xa2 \t OIG completed an investigation concerning a former licensee employee\xe2\x80\x99s\n    harassment and intimidation (H&I) complaint against the individual\xe2\x80\x99s\n    former employer. The individual raised the concern to NRC\xe2\x80\x99s Office of\n    Investigations (OI), which closed the investigation after the individual\n    reached a settlement with the former employer. The alleger maintained that\n    OI should not have closed the case, but should have continued its investi-\n    gation into the H&I complaint against the licensee company.\n\n\xe2\x80\xa2 \t OIG conducted an investigation involving six separate allegations\n    concerning NRC\xe2\x80\x99s oversight of Nuclear Fuel Services, Inc. (NFS), an\n    NRC licensee that manufactures and processes nuclear reactor fuel for\n    commercial and military purposes. Three of the allegations challenged\n    whether NRC followed its own rules and policies with regard to a license\n    amendment approval, provision of information to the public, and handling\n    of an allegation against a senior NFS official. The other three allegations\n    addressed whether NRC influenced a Department of Health and Human\n    Services decision that the NFS facility was not a significant health hazard,\n    whether an NRC inspector assigned to NFS was transferred for pursuing\n    his assignment too rigorously, and whether NRC failed to enforce a\n    confirmatory order concerning NFS.\n\n\n\n\n                                                                 October 1, 2009-March 31, 2010 | vii\n\x0c                                               Fuel rod assembly.\n\n\nviii | NRC OIG Semiannual Report to Congress\n\x0cOverview of the NRC and the OIG\nNRC\xe2\x80\x99S MISSION\nNRC was formed in 1975, in accordance with the Energy Reorganization Act\nof 1974, to regulate the various commercial and institutional uses of nuclear\nmaterials. The agency succeeded the Atomic Energy Commission, which\npreviously had responsibility for both developing and regulating nuclear\nactivities.\n\nNRC\xe2\x80\x99s mission is to regulate the Nation\xe2\x80\x99s civilian use of byproduct, source,\nand special nuclear materials to ensure adequate\nprotection of public health and safety, promote the\ncommon defense and security, and protect the\nenvironment. NRC\xe2\x80\x99s regulatory mission covers three\nmain areas:\n\n\xe2\x80\xa2 \t Reactors - Commercial reactors that generate\n    electric power and research and test reactors\n    used for research, testing, and training.\n\n\xe2\x80\xa2 \t Materials - Uses of nuclear materials in medical,\n    industrial, and academic settings and facilities\n    that produce nuclear fuel.\n\n\xe2\x80\xa2 \t Waste - Transportation, storage, and disposal of nuclear materials and\n    waste, and decommissioning of nuclear facilities from service.\n\nUnder its responsibility to protect public health and safety, NRC has three\nprincipal regulatory functions: (1) establish standards and regulations, (2)\nissue licenses for nuclear facilities and users of nuclear materials, and (3)\ninspect facilities and users of nuclear materials to ensure compliance with the\nrequirements. These regulatory functions relate both to nuclear power plants\nand other uses of nuclear materials \xe2\x80\x93 like nuclear medicine programs at\nhospitals, academic activities at educational institutions, research, and such\nindustrial applications as gauges and testing equipment.\n\nThe NRC maintains a current Web site and a public document room at\nNRC headquarters in Rockville, Maryland, and holds public hearings, public\nmeetings in local areas and at NRC offices, and discussions with individuals\nand organizations.\n\n\n\n\n                                                                   October 1, 2009-March 31, 2010 | 1\n\x0c                   OIG HISTORY, MISSION, AND GOALS\n                   Inspector General History\n                   In the 1970s, Government scandals, oil shortages, and stories of corrup-\n                   tion covered by newspapers, television, and radio stations took a toll on the\n                   American public\xe2\x80\x99s faith in its Government. The U.S. Congress knew it had to\n                   take action to restore the public\xe2\x80\x99s trust. It had to increase oversight of Federal\n                                                                   programs and operations. It had\n                                                                   to create a mechanism to evaluate\n                                                                   the effectiveness of Government\n                                                                   programs. And, it had to provide\n                                                                   an independent voice for economy,\n                                                                   efficiency, and effectiveness within\n                                                                   the Federal Government that\n                                                                   would earn and maintain the trust\n                                                                   of the American people.\n\n                                                                    In response, Congress passed the\n                                                                    landmark legislation known as the\n                                                                    Inspector General Act (IG Act),\nInspector General Hubert T. Bell presents a plaque to former        which President Jimmy Carter\nChairman Dale E. Klein in appreciation of his support to the        signed into law in 1978. The IG Act\nmission of the Office of the Inspector General. Pictured left to\nright are Joseph A. McMillan, Assistant Inspector General for\n                                                                    created independent Inspectors\nInvestigations; Hubert T. Bell; Dale E. Klein; David C. Lee, Deputy General, who would protect the\nInspector General; and Steven E. Zane, Deputy Assistant Inspector   integrity of Government; improve\nGeneral for Audits.                                                 program efficiency and effective-\n                                                                    ness; prevent and detect fraud,\n                      waste, and abuse in Federal agencies; and keep agency heads, Congress, and\n                      the American people fully and currently informed of the findings of IG work.\n\n                   Today, the IG concept is a proven success. The IGs continue to deliver\n                   significant benefits to our Nation. Thanks to IG audits and investigations,\n                   billions of dollars have been returned to the Federal Government or have been\n                   better spent based on recommendations identified through those audits and\n                   investigations. IG investigations have also contributed to the prosecution of\n                   thousands of wrongdoers. In addition, the IG concepts of good governance,\n                   accountability, and monetary recovery encourages foreign governments to seek\n                   advice from IGs, with the goal of replicating the basic IG principles in their\n                   own governments.\n\n\n\n\n2 | NRC OIG Semiannual Report to Congress\n\x0cOIG Mission and Goals\nNRC\xe2\x80\x99s OIG was established as a statutory entity on April 15, 1989, in\naccordance with the 1988 amendment to the IG Act. NRC OIG\xe2\x80\x99s mission\nis to (1) independently and objectively conduct and supervise audits and\ninvestigations relating to NRC programs and operations; (2) prevent and\ndetect fraud, waste, and abuse; and (3) promote economy, efficiency, and\neffectiveness in NRC programs and operations.\n\nOIG is committed to ensuring the integrity of NRC programs and operations.\nDeveloping an effective planning strategy is a critical aspect of accomplishing\nthis commitment. Such planning ensures that audit and investigative resources\nare used effectively. To that end, OIG developed a Strategic Plan that includes\nthe major challenges and critical risk areas facing NRC.\n\nThe plan identifies OIG\xe2\x80\x99s priorities and establishes a shared set of\nexpectations regarding the goals OIG expects to achieve and the strategies\nthat will be employed to do so. OIG\xe2\x80\x99s Strategic Plan features three goals, which\ngenerally align with NRC\xe2\x80\x99s mission and goals:\n\n1.\t\x07Strengthen NRC\xe2\x80\x99s efforts to protect public health and safety and the\n    environment.\n\n2.\t Enhance NRC\xe2\x80\x99s efforts to increase security in response to an evolving\n    threat environment.\n\n3.\t Increase the economy, efficiency, and effectiveness with which NRC\n    manages and exercises stewardship over its resources.\n\n\n\n\n1\n    OIG\xe2\x80\x99s current Strategic Plan covers the period FY 2008 through FY 2013.\n\n\n\n\n                                                                              October 1, 2009-March 31, 2010 | 3\n\x0cOIG Programs and Activities\n                   Audit Program\n                   The OIG Audit Program focuses on management and financial operations;\n                   economy and efficiency with which an organization, program, or function is\n                   managed; and whether the programs achieve intended results. OIG auditors\n                   assess the degree to which an organization complies with laws, regulations, and\n                   internal policies in carrying out programs, and they test program effectiveness\n                   as well as the accuracy and reliability of financial statements. The overall objec-\n                   tive of an audit is to identify ways to enhance agency operations and promote\n                   greater economy and efficiency. Audits comprise four phases:\n\n                   \xe2\x80\xa2 \t Survey phase\xe2\x80\x93An initial phase of the audit process is used to gather\n                       information, without detailed verification, on the agency\xe2\x80\x99s organization,\n                       programs, activities, and functions. An assessment of vulnerable areas\n                       determines whether further review is needed.\n\n                   \xe2\x80\xa2 \t Verification phase\xe2\x80\x93Detailed information is obtained to verify findings and\n                       support conclusions and recommendations.\n\n                   \xe2\x80\xa2 \t Reporting phase\xe2\x80\x93The auditors present the information, findings, conclu-\n                       sions, and recommendations that are supported by the evidence gathered\n                       during the survey and verification phases. Exit conferences are held with\n                       management officials to obtain their views on issues in the draft audit\n                       report. Comments from the exit conferences are presented in the published\n                       audit report, as appropriate. Formal written comments are included in\n                       their entirety as an appendix in the published audit report.\n\n                   \xe2\x80\xa2 \t Resolution phase\xe2\x80\x93Positive change results from the resolution process\n                       in which management takes action to improve operations based on the\n                       recommendations in the published audit report. Management actions\n                       are monitored until final action is taken on all recommendations. When\n                       management and OIG cannot agree on the actions needed to correct a\n                       problem identified in an audit report, the issue can be taken to the NRC\n                       Chairman for resolution.\n\n                   Each September, OIG issues an Annual Plan that summarizes the audits\n                   planned for the coming fiscal year. Unanticipated high priority issues may arise\n                   that generate audits not listed in the Annual Plan. OIG audit staff continually\n                   monitor specific issues areas to strengthen OIG\xe2\x80\x99s internal coordination and\n                   overall planning process. Under the OIG Issue Area Monitor (IAM) program,\n                   staff designated as IAMs are assigned responsibility for keeping abreast of\n\n\n\n\n4 | NRC OIG Semiannual Report to Congress\n\x0cmajor agency programs and activities. The broad IAM areas address nuclear\nreactors, nuclear materials, nuclear waste, international programs, security,\ninformation management, and financial management and administrative\nprograms.\n\nINVESTIGATIVE PROGRAM\nOIG\xe2\x80\x99s responsibility for detecting and preventing fraud, waste, and abuse within\nNRC includes investigating possible violations of criminal statutes relating to\nNRC programs and activities, investigating misconduct by NRC employees,\ninterfacing with the Department of Justice on OIG-related criminal matters,\nand coordinating investigations and other OIG initiatives with Federal, State,\nand local investigative agencies and other OIGs. Investigations may be initiated\nas a result of allegations or referrals from private citizens; licensee employees;\nNRC employees; Congress; other Federal, State, and local law enforcement\nagencies; OIG audits; the OIG Hotline; and IG initiatives directed at areas\nbearing a high potential for fraud, waste, and abuse.\n\nBecause NRC\xe2\x80\x99s mission is to protect the health and safety of the public, OIG\xe2\x80\x99s\nInvestigative Program directs much of its resources and attention on investi-\ngations of alleged conduct by NRC staff that could adversely impact matters\nrelated to health and safety. These investigations may address allegations of:\n\n\xe2\x80\xa2 \t Misconduct by high-ranking NRC officials and other NRC officials, such\n    as managers and inspectors, whose positions directly impact public health\n    and safety.\n\n\xe2\x80\xa2 \t Failure by NRC management to ensure that health and safety matters are\n    appropriately addressed.\n\n\xe2\x80\xa2 \t Failure by NRC to appropriately transact nuclear regulation publicly and\n    candidly and to openly seek and consider the public\xe2\x80\x99s input during the\n    regulatory process.\n\n\xe2\x80\xa2 \t Conflicts of interest involving NRC employees and NRC contractors and\n    licensees, including such matters as promises of future employment for\n    favorable or inappropriate treatment and the acceptance of gratuities.\n\n\xe2\x80\xa2 \t Fraud in the NRC procurement program involving contractors violating\n    Government contracting laws and rules.\n\n\n\n\n                                                                    October 1, 2009-March 31, 2010 | 5\n\x0c                   OIG has also implemented a series of proactive initiatives designed to identify\n                   specific high-risk areas that are most vulnerable to fraud, waste, and abuse. A\n                   primary focus is electronic-related fraud in the business environment. OIG\n                   is committed to improving the security of this constantly changing electronic\n                   business environment by investigating unauthorized intrusions and computer-\n                   related fraud, and by conducting computer forensic examinations. Other proac-\n                   tive initiatives focus on determining instances of procurement fraud, theft of\n                   property, Government credit card abuse, and fraud in Federal programs.\n\n\n\n                   GENERAL COUNSEL ACTIVITIES\n                   Regulatory Review\n                   Pursuant to the Inspector General Act, 5 U.S.C. App. 3, Section 4(a)(2), OIG\n                   reviews existing and proposed legislation, regulations, policy, and imple-\n                   menting Management Directives (MD), and makes recommendations to the\n                   agency concerning their impact on the economy and efficiency of agency\n                   programs and operations.\n\n                   Regulatory review is intended to provide assistance and guidance to the\n                   agency prior to the concurrence process so as to avoid formal implementa-\n                   tion of potentially flawed documents. The OIG does not concur or object to\n                   the agency actions reflected in the regulatory documents, but rather offers\n                   comments and requests responsive action within specified timeframes.\n\n                   Comments provided in regulatory review reflect an objective analysis of the\n                   language of proposed agency statutes, directives, regulations, and policies\n                   resulting from OIG insights from audits, investigations, and historical data and\n                   experience with agency programs. OIG review is structured so as to identify\n                   vulnerabilities and offer additional or alternative choices.\n\n                   From October 1, 2009, through March 31, 2010, OIG reviewed more than 320\n                   agency documents, including approximately 220 Commission papers (SECYs)\n                   and Staff Requirements Memoranda, and 100 Federal Register Notices, regula-\n                   tory actions, and statutes.\n\n                   To effectively track the agency\xe2\x80\x99s response to OIG regulatory review, comments\n                   include a request for written replies within 90 days, with either a substantive\n                   reply or status of issues raised by OIG.\n\n\n\n\n6 | NRC OIG Semiannual Report to Congress\n\x0cDuring this reporting period, the OIG also commented on more than 11 draft\nManagement Directives on technical issues, agency communications, program\norganization and personnel guidance. In addition, OIG provided substantive\nobservations on a Commission paper related to the Open Government Initia-\ntive. Feedback and suggestions were also provided on the agency\xe2\x80\x99s No Fear Act\ntraining. These are summarized below. In addition, the agency provided respon-\nsive comments to nine OIG comments and for a commentary issued earlier.\n\nManagement Directives Related to Agency Communications\n\nMD 2.3, Telecommunications, establishes telecommunications policies and\nprocedures applicable to all facilities, services, and equipment primarily asso-\nciated with the transfer of information contained within the agency. OIG\ncomments concerned alignment of the direction in this reference with guid-\nance in MD 12.1, \xe2\x80\x9cNRC Facility Security Program,\xe2\x80\x9d so as to ensure compliance\nwith Department of Justice guidance concerning the IG\xe2\x80\x99s role in approving the\nuse of devices for monitoring, recording, or intercepting conversations.\n\nMD 3.16, NRC Announcement Program, is a new directive intended to\nformalize the process and procedures for making agencywide announcements.\nOIG comments noted the need to identify the position responsible for assuring\nsensitive information is not released in announcements and for consistency in\nuse of terminology within the directive.\n\nMD 3.57, Correspondence Management, is intended to aid in preparing and\nhandling correspondence in paper and electronic environments, including the\nuse of e-mail and the Agencywide Documents Access and Management System\n(ADAMS). The OIG noted that as an office reporting directly to the Chairman,\nit should be included as an exception to the directive.\n\nManagement Directives Related to Agency Organization\n\nMD 9.7, Organization and Functions, Office of the General Counsel, generally\ndescribes the legal program within the agency. OIG comments suggested that\nit would be helpful to include more comprehensive information on the Office\nof the General Counsel (OGC) relationship with Regional Counsels, and to\nurge that legal advice on acquisition matters be extended further than \xe2\x80\x9cas\nrequested.\xe2\x80\x9d OGC responded with additional direction on the relationship with\nRegional Counsels, and additional OGC involvement in procurement matters,\nspecifically Organizational Conflict of Interest and 10 CFR Part 11 clearances.\n\n\n\n\n                                                                  October 1, 2009-March 31, 2010 | 7\n\x0c                   MD 9.17, Organization and Functions, Office of the Executive Director for\n                   Operations, (EDO), adequately described that office. OIG commented that it\n                   would be helpful if the EDO responsibilities in the directive included those\n                   related to audit recommendations as stated in MD 6.1, Internal Management\n                   Resolution of Audit Recommendations. In addition, inclusion of Reorganiza-\n                   tion Plan No. 1, \xe2\x80\x9cInternal Commission Procedures,\xe2\x80\x9d of 1980 in the references\n                   section of the MD was recommended.\n\n                   MD 9.24, Organization and Functions, Office of Small Business and Civil Rights\n                   (SBCR), was well constructed, but lacked specificity in 10 identified areas,\n                   which were identified in the OIG comment. These items included SBCR\xe2\x80\x99s\n                   responsibility for the Equal Employment Opportunity counselors program and\n                   its role in the Commission briefing, grants award program, and recruitment.\n                   Additionally, clarification was suggested for several items, including position\n                   responsibilities and the organization chart.\n\n                   Management Directives and Actions Related to Agency Personnel Processes\n\n                   MD 10.11, Visiting Fellows Program, provides direction to implement\n                   the agency policy to supplement NRC\xe2\x80\x99s expertise in science, medicine,\n                   and engineering by limited employment of visiting professionals. The OIG\n                   suggested additional detail in the directive regarding employment benefits\n                   available to the fellows during their tenure at NRC.\n\n                   MD 10. 72, Awards and Recognition, comprehensively described the awards\n                   program, but omitted reference to OIG staff. After discussion with the agency,\n                   directions applicable to OIG personnel that appeared in the previous version of\n                   the MD were added back into the directive.\n\n                   MD 10.51, Recruitment, Relocation and Retention Incentives, was also complete\n                   for agency personnel, but omitted reference to OIG staff. In this case also, after\n                   discussion with agency staff, OIG personnel actions were included in the direc-\n                   tive.\n\n                   MD 10.38, Position Management, needed revision to include OIG personnel\n                   management matters, which was accomplished after discussion with the agency.\n\n                   The agency also created an agencywide training video for employees on the\n                   No Fear Act. OIG was asked to review and comment on contained proposed\n                   scenarios and announcement language. OIG provided technical and editorial\n                   corrections, which were adopted by the agency.\n\n\n\n\n8 | NRC OIG Semiannual Report to Congress\n\x0cComments Related to Technical Issues\n\nDraft final rule, 10 CFR 51.22, Criterion for Categorical Exclusion:\nIdentification of Licensing and Regulatory Actions Eligible for Categorical\nExclusion or Otherwise Not Requiring Environmental Review. OIG expressed\nreservations regarding an aspect of the draft rule, which would have exempted\ncode cases applicable to the Boiler and Pressure Vessel Code, Section II,\n\xe2\x80\x9cMaterials Review.\xe2\x80\x9d This would have potentially allowed exclusion from\nenvironmental review certain materials which, once introduced into the\nreactor system, could become environmentally harmful. The agency agreed\nwith these comments and revised the draft rule to address these concerns.\n\nDraft amendments to 10 CFR Part 40, Domestic Licensing of Source Material \xe2\x80\x93\nAmendments/Integrated Safety Analysis. The draft rule proposed adding a new\nsection H to Part 40, which would have required uranium conversion facilities\nto meet new safety standards for chemical and radiological hazards similar to\nthose in 10 CFR Part 70. OIG comments questioned the basis for the\namendments and the estimated cost for compliance with the changes.\nMeetings with cognizant agency officials clarified the derivative authority\nconveyed by the Atomic Energy Act and further that the cost estimates were\nrelated to current costs and not changed costs; as a result, OIG concerns were\nsatisfied without further changes to the draft.\n\nDraft MD 8.13, Reactor Oversight Process. OIG related a concern regarding the\nHandbook section on \xe2\x80\x9cSignificance of Indicators and Findings,\xe2\x80\x9d because\nit omitted the definition of safety significance of findings and performance\nindicators in terms of colors (Red, Yellow, White, and Green). This basic\nprogram information is considered essential, and was actually included as\nreference material in other sections of the MD. The agency agreed with this\ncomment and revised the draft accordingly.\n\n\n\n\n                                                                 October 1, 2009-March 31, 2010 | 9\n\x0c                  OIG ACTIVITIES\n                  Support of the Inspector General Community in Training\n                  The OIG General Counsel, Maryann Grodin, supported the Inspector General\n                  community in training and presentations. Ms. Grodin served as a guest\n                  speaker for the Naval Facilities Command Inspector General Conference.\n                  During that conference, the OIG General Counsel made a presentation to\n                  more than 40 IG auditors, attorneys, and investigators from worldwide field\n                  offices. Ms. Grodin\xe2\x80\x99s presentation, titled, \xe2\x80\x9cFraud and Reform,\xe2\x80\x9d covered two\n                  matters of significance to the IG community: the Supreme Court decision in\n                  Allison Engine Co. v. U.S. ex rel Sanders, No. 07-214, and the Fraud Enforce-\n                  ment and Recovery Act of 2009, Public Law 111-21. During the presentation,\n                  Ms. Grodin related statutory and regulatory authority and standards applicable\n                  to each of the topics, and illustrated each discussion area with examples from\n                  practice and evolving case law.\n\n                  OTHER ACTIVITIES\n                  NRC OIG Receives CIGIE Awards for Excellence\n                  In 2009, the Council of the Inspectors General on Integrity and Efficiency\n                  (CIGIE) recognized an OIG audit team and a senior special agent by awarding\n                  each the prestigious CIGIE Award for Excellence.\n\n                  \xe2\x80\xa2 \t The audit team was recognized for exceptional performance in recom-\n                      mending actions to enhance NRC\xe2\x80\x99s oversight of the Agreement State\n                      Program. The team consisted of Robert Wild, Senior Management Analyst;\n                      Eric Rivera, Senior Auditor; and Rebecca Ryan, Management Analyst.\n\n                  \xe2\x80\xa2 \t Senior special agent Veronica Bucci was recognized for exceptional\n                      performance in investigating and reporting that a Fortune 500 company\n                      submitted 77 false claims to NRC in violation of the False Claims Act.\n\n                  CIGIE Award for Excellence in Audit \xe2\x80\x93 Agreement State Audit\n\n                  In accordance with section 274 of the Atomic Energy Act, as amended, NRC\xe2\x80\x99s\n                  Agreement State Program may relinquish its authority to regulate certain\n                  nuclear material to States. Nuclear material is widely used in the United States\n                  and abroad for peaceful purposes. However, the events of September 11,\n                  2001, heightened the Nation\xe2\x80\x99s concerns that the loss or theft of nuclear\n                  material could lead to malicious use such as in a radiological dispersal\n                  device, also known as a dirty bomb.\n\n\n\n\n10 | NRC OIG Semiannual Report to Congress\n\x0cThe States to which NRC relinquishes its\nauthority must first demonstrate that their regu-\nlatory programs are adequate to protect public\nhealth and safety and are compatible with NRC\xe2\x80\x99s\nprogram. States that have entered into an agree-\nment assuming this regulatory authority from\nNRC are called Agreement States. NRC has\nprogrammatic responsibility to periodically review\nAgreement State actions to comply with the\nrequirements of the Atomic Energy Act. NRC\xe2\x80\x99s\npolicy is to evaluate Agreement State radiation\n                                                      The NRC Agreement States Audit Group receives\ncontrol programs using performance indicators         its 2009 CIGIE Award for Excellence. Pictured\nto ensure nationwide that public health and safety    left to right are Stephen D. Dingbaum, Assistant\nis being adequately protected and that Agree-         Inspector General for Audits; Robert K. Wild,\n                                                      Audit Manager; Sherri A. Miotla, Team Leader;\nment State programs are compatible with NRC\xe2\x80\x99s         Eric Rivera, Audit Manager; David C. Lee, Deputy\nprogram.                                              Inspector General; and Hubert T. Bell, Inspector\n                                                      General.\nAlthough NRC maintains oversight of the\nAgreement States, the audit team identified the following program adequacy\nand effectiveness issues:\n\n\xe2\x80\xa2 \t NRC does not effectively monitor the Integrated Materials Performance\n    Evaluation Program (IMPEP) operational issues. IMPEP is NRC\xe2\x80\x99s mecha-\n    nism for periodically reviewing the actions of the Agreement States to\n    comply with the requirements of the Atomic Energy Act. Agreement State\n    program managers are unaware of several operational issues because there\n    is no systematic mechanism for conducting self-assessments and capturing\n    lessons learned for IMPEP. Consequently, IMPEP may not be as effective as\n    it could be for assessing the adequacy and compatibility of Agreement State\n    programs.\n\n\xe2\x80\xa2 \t NRC could be challenged to re-exert authority over an Agreement State\n    program in the event of an emergency. Under the Atomic Energy Act, NRC\n    can temporarily suspend its agreement with a State during an emergency\n    situation. However, NRC has not identified all of the information neces-\n    sary for re-exerting authority and lacks formal procedural guidance about\n    what information is needed about Agreement State programs and materials\n    licensees. Without this valuable planning information, NRC could lose\n    oversight and awareness of licensees and materials.\n\n\xe2\x80\xa2 \t NRC\xe2\x80\x99s communications with and collection of information from\n    Agreement States needs improvement. Even though NRC serves as the\n    Federal-level presence for materials safety and security under the National\n    Materials Program, the agency lacks (1) standardization in communication\n\n\n                                                                 October 1, 2009-March 31, 2010 | 11\n\x0c                        procedures, and (2) a standardized data collection process that can be used\n                        as a basis for developing a national information sharing tool. As a result,\n                        some States may be unaware of important issues, and NRC does not have a\n                        full and accurate picture of Agreement State regulatory activities.\n\n                    \xe2\x80\xa2 \t Weaknesses exist in NRC\xe2\x80\x99s review of Agreement State event reporting.\n                        NRC\xe2\x80\x99s reviews of whether an Agreement State has appropriately reported\n                        all events to the Nuclear Material Events Database (NMED) may not be\n                        consistently performed. NRC\xe2\x80\x99s IMPEP reviews do not require an analysis\n                        of unreported events to determine whether such events are being appro-\n                        priately identified for and included in NMED. Consequently, NRC and\n                        the public may have an inaccurate accounting of material events in some\n                        States, which could also hamper events data trend analysis efforts.\n\n                    The audit team\xe2\x80\x99s work represented a significant contribution to protecting\n                    public health and safety by ensuring that NRC\xe2\x80\x99s oversight of Agreement State\n                    regulatory programs are adequate to protect public health and safety, and are\n                    compatible with NRC\xe2\x80\x99s program.\n\n                    CIGIE Award for Excellence in Investigation \xe2\x80\x93 Violation of False Claims Act\n\n                                                 Senior Special Agent (SSA) Veronica Bucci was\n                                                 recognized by the CIGIE for work involving an\n                                                 allegation that an NRC contractor, Science Applica-\n                                                 tions International Corporation (SAIC), a Fortune\n                                                 500 scientific, engineering, and technology appli-\n                                                 cations company, violated the False Claims Act\n                                                 (FCA) and breached two contracts with the NRC.\n\n                                                    OIG\xe2\x80\x99s investigation found that in 1992 and 1999,\n                                                    NRC awarded two contracts to SAIC to provide the\nSenior Special Agent Veronica O. Bucci receives     agency with technical assistance on the develop-\nher 2009 CIGIE Award for Excellence. Pictured       ment of a rule that would allow for the recycling\nleft to right are Joseph A. McMillan, Assistant     and reuse of slightly radioactive material, primarily\nInspector General for Investigations; Rossana\nRaspa, Senior Level Assistant for Investigative\n                                                    contaminated metals. In 1992, SAIC was responsible\nOperations; Hubert T. Bell, Inspector General;      for assisting NRC in establishing scientific stan-\nSenior Special Agent Bucci; and David C. Lee,       dards governing the reuse of such material and was\nDeputy Inspector General.                           to present an options paper outlining the possible\n                       approaches to rulemaking for the release of these materials. The goal of the 1999\n                       contract was to assess regulatory alternatives regarding the release of reusable\n                       materials. As part of both contract requirements, SAIC certified to NRC that\n                       SAIC had no conflicts of interest; however, during a public meeting, a private\n                       citizen reported that SAIC did have conflicts of interest related to this issue.\n\n\n\n\n12 | NRC OIG Semiannual Report to Congress\n\x0cOIG\xe2\x80\x99s investigation determined that SAIC breached its organizational conflict-\nof-interest obligations under both NRC contracts by engaging in relationships\nwith organizations, including the Association of Radioactive Metal Recyclers,\nwhose aim was to advocate in favor of recycling and reusing radioactive mate-\nrials. By concealing these relationships, SAIC stood to benefit from the rule.\nThe OIG investigation concluded that SAIC violated the FCA and breached its\ncontract requirements with NRC by not disclosing these relationships.\n\nThroughout the investigation and subsequent Federal trial, SSA Bucci provided\ninvaluable assistance and support to the Department of Justice and the NRC\xe2\x80\x99s\nOffice of the General Counsel, which culminated in a Federal jury finding that\nSAIC violated the FCA. The jury awarded the U.S. Government $6.49 million\nunder the FCA and penalties for 77 false claims and statements that SAIC\nsubmitted to NRC for payment.\n\nManagement and Performance Challenges\n                 Most Serious Management and Performance Challenges\n                      Facing the Nuclear Regulatory Commission *\n                               as of September 30, 2009\n                               (as identified by the Inspector General)\n\n  Challenge 1\t Protection of nuclear material used for civilian purposes.\n\n  Challenge 2\t Managing information to balance security with openness and accountability.\n\n  Challenge 3\t\x07Ability to modify regulatory processes to meet a changing environment, to include\n               the licensing of new nuclear facilities.\n\n  Challenge 4\t Oversight of radiological waste.\n\n  Challenge 5\t Implementation of information technology and information security measures.\n\n  Challenge 6\t Administration of all aspects of financial management.\n\n  Challenge 7\t Managing human capital.\n\n  *\x07The most serious management and performance challenges are not ranked in any order\n    of importance.\n\nThe seven challenges contained in this report are distinct, yet interdependent relative to the\naccomplishment of NRC\xe2\x80\x99s mission. For example, the challenge of managing human capital\naffects all other management and performance challenges.\n\n\n\n                                                                  October 1, 2009-March 31, 2010 | 13\n\x0cAudits\n                  To help the agency improve its effectiveness and efficiency during this period, OIG\n                  completed 11 financial and performance audits or evaluations, 7 of which are\n                  summarized here that resulted in numerous recommendations to NRC manage-\n                  ment. OIG also analyzed one contract audit report.\n\n                  AUDIT SUMMARIES\n                  Social Engineering Assessment Report\n                  OIG Strategic Goal: Security\n\n                  Social engineering is the practice of obtaining confidential information\n                  through manipulation of legitimate users. Social engineers will commonly use\n                  the telephone or Internet to trick a person into revealing sensitive information\n                  or getting them to do something that is against typical policies, exploiting the\n                  natural tendency of individuals to trust others. A contemporary example of a\n                  social engineering attack is the use of e-mail attachments that contain mali-\n                  cious payloads that, for example, use the victim\xe2\x80\x99s machine to send massive\n                  quantities of spam. After earlier malicious e-mails led software vendors to\n                  disable automatic execution of attachments, users now have to explicitly acti-\n                  vate attachments for this to occur. Many users, however, will automatically\n                  click on any attachments they receive, thus allowing the attack to work.\n\n                  OIG sought to assess the effectiveness of agency security policies and control\n                  measures protecting sensitive information technology systems against a social\n                  engineering attack. A contractor with expertise in this area was selected to\n                  perform the assessment, which involved the following techniques:\n\n                  \xe2\x80\xa2 \t Reconnaissance to discover publicly available information that may be\n                      leveraged to develop materials that may facilitate the social engineering\n                      assessment, including scripts, scenarios, samples, and e-mails.\n\n                  \xe2\x80\xa2 \t Dumpster/recycle bin diving and workspace walk throughs to deter-\n                      mine whether employees and contractors are transporting, storing, and\n                      disposing of sensitive information according to defined policies.\n\n                  \xe2\x80\xa2 \t Physical access assessment to identify weaknesses in physical access controls\n                      that are typically used to protect against unauthorized access to buildings,\n                      information technology systems, and sensitive information.\n\n                  \xe2\x80\xa2 \t Baiting by deliberately placing removable media, containing malware, outside\n                      and around facilities, with the hope that an employee will find the media,\n                      connect it to the network, and inadvertently deploy the contained malware.\n\n\n\n14 | NRC OIG Semiannual Report to Congress\n\x0c\xe2\x80\xa2 \t Social engineering phone calls attempting to extract sensitive information\n    from employees by impersonating trusted figures, including the help desk\n    or the security office.\n\n\xe2\x80\xa2 \t Phishing e-mails attempting to entice users to divulge sensitive information\n    or click on non-NRC links.\n\nAssessment Results:\n\nThe assessment, which was performed between August 19, 2009, and\nNovember 6, 2009, demonstrated that NRC had improved its controls since\n2006, when a prior OIG social engineering assessment was conducted. The\nassessment, however, also revealed areas where NRC can further strengthen\nthe controls needed to protect against social engineering attacks and made\nrecommendations to help NRC address specific areas noted for improvement.\nAdditional information concerning the assessment results cannot be reported\npublicly due to the security-related nature of the assessment and results.\n(Addresses Management and Performance Challenge #5)\n\nAudit of NRC\xe2\x80\x99s Personnel Security Clearance Program\nfor Employees\nOIG Strategic Goal: Security\n\nAtomic Energy Act of 1954, as amended, requires all NRC employees to have\na security clearance. The NRC personnel security clearance program strives to\nimplement measures to ensure that agency staff can be trusted to work with and\nprotect classified information and to prevent the hiring of employees who might\nbe untrustworthy or unsuitable for Federal employment. At NRC, the Office of\nAdministration, Division of Facilities and Security, through its Personnel Secu-\nrity Branch (PSB) administers the personnel security clearance program.\n\nNRC allows employees to begin working for the agency prior to their clear-\nance \xe2\x80\x94 provided the Commission determines that such employment is in the\nnational interest and the employee does not have access to classified informa-\ntion. Today, a significant number of new NRC employees are permitted to\nbegin work prior to receiving a security clearance, but only after PSB conducts a\nreview of the individual\xe2\x80\x99s criminal history, credit history and background infor-\nmation as reported by the individual; evaluates the results; and determines there\nare no factors that may constitute a security risk to the agency. This approval is\nreferred to as a pre-appointment investigation waiver or a 145b waiver.\n\nAfter NRC grants an initial approval to begin work (with no access to classi-\nfied information), the agency requests a full background investigation from the\n\n\n\n                                                                  October 1, 2009-March 31, 2010 | 15\n\x0c                  Office of Personnel Management (OPM). Once the background investigation\n                  is returned to NRC, PSB staff adjudicate the results by reviewing the investiga-\n                  tion report. The adjudicative process is an examination of a sufficient period of\n                  a person\xe2\x80\x99s life to make a determination to grant or deny a security clearance.\n\n                  The audit objective was to determine whether (1) NRC is in compliance with\n                  external and internal personnel security clearance requirements, and (2) NRC\xe2\x80\x99s\n                  personnel security clearance program is efficiently managed.\n\n                  Audit Results:\n\n                  NRC is not fully in compliance with established timeliness requirements for\n                  processing personnel security clearances. Furthermore, NRC\xe2\x80\x99s personnel\n                  security clearance program lacks sufficient management controls and oversight\n                  to measure the program\xe2\x80\x99s efficiency and assign accountability for the program\xe2\x80\x99s\n                  performance.\n\n                  Timeliness Requirements Not Met\n\n                  The Intelligence Reform and Terrorism Prevention Act of 2004 provides\n                  timeliness requirements for processing Federal personnel security clearance\n                  investigations. In accordance with the act, agencies (1) should adjudicate most\n                  clearance investigation results within 30 days, and (2) initiate a reinvestiga-\n                  tion every 5 years for \xe2\x80\x9cQ\xe2\x80\x9d (top secret) and every 10 years for \xe2\x80\x9cL\xe2\x80\x9d (secret) clear-\n                  ances. Despite these requirements, 62 percent of NRC adjudications during\n                  the first three quarters of FY 2009 took longer than 30 days, and OIG identi-\n                  fied 161 NRC employees whose reinvestigations were more than 1 year past\n                  due. NRC has not met the timeliness requirements because the agency has not\n\n                                             Adjudication Timeliness\n                                      October 1, 2008, through June 30, 2009\n                                                             N=978\n                      400\n\n                      300\n                                                       62 percent of adjudications occured\n                                                     outside of the 30-day IRTPA requirement\n                      200\n\n                      100\n\n                        0\n                               0-30       31-60      61-90      91-120     121-150   151-180   181-365\n                                                         Days to Complete\n                      Source: OIG-generated based on data obtained from OPM.\n\n\n\n\n16 | NRC OIG Semiannual Report to Congress\n\x0cimplemented a procedure to routinely                   Reinvestigations > 1 Year Past Due\nmonitor and follow up on all case files                        by Clearance Type\nto ensure cases are processed timely.                          (As of September 2009)\nAdditionally, management lacks useful\nand reliable reports to track the status\nof clearance investigations through                                                     L-Secret\n                                                                       43\nthe various stages of the investigative\nprocess. Delays in completing initial             86                                    L(H)-High\ninvestigations may hinder agency                                                        Public Trust\nproductivity, while delays in completing\nreinvestigations can lead to increased                                32                Q-\x07Top Secret\nsecurity risks.\n\nAgency Lacks Personnel Security\n                                              Source: OIG-generated based on data obtained from PSB.\nPerformance Measures\n\nFederal control standards require the establishment and review of perfor-\nmance measures and indicators. At the start of this audit, NRC lacked perfor-\nmance measures to assess the efficiency of NRC\xe2\x80\x99s personnel security clearance\nprogram. In response to a 2004 OIG audit report recommendation, the\nDivision of Facilities and Security added a timeliness performance measure\nto the FY 2005 Office of Administration Operating Plan for the processing of\npersonnel security investigations. However, in FY 2006, deeming the timeli-\nness performance measure unattainable, management removed the measure\nfrom the plan. Without performance measures, the agency\xe2\x80\x99s ability to assess\npersonnel security clearance program efficiency and assign accountability for\nthe program performance is limited. (Addresses Management and Performance\nChallenges #5 and #7)\n\nResults of the Audit of the Nuclear Regulatory\nCommission\xe2\x80\x99s Financial Statements for Fiscal Years\n2009 and 2008\nOIG Strategic Goal: Corporate Management\n\nThe Chief Financial Officers Act of 1990, as amended, requires the Inspector\nGeneral or an independent external auditor, as determined by the Inspector\nGeneral, to annually audit NRC\xe2\x80\x99s financial statements to determine whether\nthe agency\xe2\x80\x99s financial statements are free of material misstatement. The audit\nincludes examining, on a test basis, evidence supporting the amounts and\ndisclosures in the financial statements. It also includes assessing the accounting\nprinciples used and significant estimates made by management as well as eval-\nuating the overall financial statement presentation.\n\n\n\n                                                                     October 1, 2009-March 31, 2010 | 17\n\x0c                  In addition, the audit evaluates the effectiveness of internal controls over\n                  financial reporting and the agency\xe2\x80\x99s compliance with laws and regulations.\n\n                  Audit Results:\n\n                  Financial Statements\n                  The auditors expressed an unqualified opinion on the agency\xe2\x80\x99s FY 2009 and\n                  2008 financial statements.\n\n                  Internal Controls\n                  The auditors expressed an unqualified opinion on the agency\xe2\x80\x99s internal\n                  controls.\n\n                  Compliance with Laws and Regulations\n                  The auditors found no reportable instances of noncompliance with laws and\n                  regulations. (Addresses Management and Performance Challenge #6)\n\n                  Independent Evaluation of NRC\xe2\x80\x99s Implementation of the\n                  Federal Information Security Management Act for Fiscal\n                  Year 2009\n                  OIG Strategic Goal: Security\n\n                  The Federal Information Security Management Act (FISMA) of 2002 was\n                  enacted on December 17, 2002. FISMA outlines the information security\n                  management requirements for agencies, which include an annual independent\n                  evaluation of an agency\xe2\x80\x99s information security program2 and practices to deter-\n                  mine their effectiveness. This evaluation must include testing the effectiveness\n                  of information security policies, procedures, and practices for a representative\n                  subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual evalu-\n                  ation to be performed by the agency\xe2\x80\x99s Inspector General or by an independent\n                  external auditor as determined by the Inspector General. Office of Manage-\n                  ment and Budget (OMB) memorandum M-09-29, FY 2009 Reporting Instruc-\n                  tions for the Federal Information Security Management Act and Agency Privacy\n                  Management, dated August 20, 2009, requires the agency\xe2\x80\x99s IG to report their\n                  responses to OMB\xe2\x80\x99s annual FISMA reporting questions for Inspectors General\n                  via an automated collection tool.\n\n                  The objective of this review was to perform an independent evaluation of\n                  NRC\xe2\x80\x99s implementation of FISMA for FY 2009.\n\n\n                  2\n                      \x07For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n\n\n18 | NRC OIG Semiannual Report to Congress\n\x0cAs of the completion of the fieldwork associated with this review, NRC had\n22 operational systems that fall under FISMA reporting requirements. Of the\n22, 8 were general support systems, and 14 were major applications. In addi-\ntion, NRC had three systems operated by a contractor or other organization on\nbehalf of the agency.\n\nEvaluation Results:\n\nProgram Enhancements and Improvements\n\nOver the past 7 years, NRC has continued to make improvements to its infor-\nmation system security program and continues to make progress in imple-\nmenting the recommendations resulting from previous FISMA evaluations. In\n2007, the Commission approved the establishment of the Computer Security\nOffice. The new office reports to the Deputy Executive Director for Corporate\nManagement and Chief Information Officer and is headed by the Chief Infor-\nmation Security Officer. The Chief Information Security Officer plans, directs,\nand oversees the implementation of a comprehensive, coordinated, integrated,\nand cost-effective NRC information technology security program, consistent\nwith applicable laws; regulations; Commission, Executive Director for Opera-\ntions, and Chief Information Officer direction; management initiatives; and\npolicies.\n\nThe agency has accomplished the following since the FY 2008 FISMA\nindependent evaluation:\n\n\xe2\x80\xa2 \t Completed certification and accreditation of 12 of the agency\xe2\x80\x99s 22 opera-\n    tional systems and 1 of the agency\xe2\x80\x99s 3 contractor systems. As of the\n    completion of fieldwork for FY 2009, all but one of the operational NRC\n    information systems had a current certification and accreditation, and all\n    three of the systems used or operated by a contractor or other organization\n    on behalf of the agency had a current certification and accreditation.\n\n\xe2\x80\xa2 \t Completed or updated security plans for 19 of the agency\xe2\x80\x99s 22 operational\n    systems and for all 3 contractor systems.\n\n\xe2\x80\xa2 \t Completed annual security control testing for all agency systems and for all\n    contractor systems.\n\n\xe2\x80\xa2 \t Completed annual contingency plan testing for all agency systems and for\n    all contractor systems.\n\n\xe2\x80\xa2 \t Issued several new and updated policies related to the protection of\n    personally identifiable information (PII) including an updated Computer\n\n\n\n                                                                 October 1, 2009-March 31, 2010 | 19\n\x0c                      Security Incident Response Policy, an updated PII Breach Notification Policy,\n                      an updated Computer Security Information Protection Policy, the Laptop\n                      Security Policy, and the Computer Security Policy for Encryption of Data at\n                      Rest When Outside of Agency Facilities.\n\n                  \xe2\x80\xa2 \t Issued the Agencywide Rules of Behavior for Authorized Computer Use. The\n                      rules of behavior are provided to NRC computer users as part of the annual\n                      computer security awareness course, and apply to all NRC employees,\n                      contractors, vendors, and agents (users) who have access to any system\n                      operated by the NRC or by a contractor or outside entity on behalf of the\n                      NRC.\n\n                  \xe2\x80\xa2 \t Developed configuration guidance, configuration standards, and standard\n                      system security plans for laptops, as well as a new Laptop Security Policy.\n\n                  \xe2\x80\xa2 \t Identified all employees with significant information technology security\n                      responsibilities and developed a plan for ensuring those employees receive\n                      appropriate role-based training.\n\n                  Program Weaknesses\n\n                  While the agency has made significant improvements in its information system\n                  security program and has made progress in implementing the recommenda-\n                  tions resulting from previous FISMA evaluations, the independent evalua-\n                  tion identified two information system security program weaknesses. One is\n                  a repeat finding from the FY 2008 independent evaluation, and the other is a\n                  repeat finding from several previous independent evaluations.\n\n                  \xe2\x80\xa2 \t The NRC inventory interface information is still inconsistent (repeat\n                      finding).\n\n                  \xe2\x80\xa2 \t The NRC inventory of major information systems operated by the agency\n                      and the identification of the interfaces between each system is still incon-\n                      sistent (repeat finding).\n\n                  \xe2\x80\xa2 \t The quality of the agency\xe2\x80\x99s plans of action and milestones still needs\n                      improvement (repeat finding).\n\n                  (Addresses Management and Performance Challenge #5)\n\n\n\n\n20 | NRC OIG Semiannual Report to Congress\n\x0cAudit of NRC\xe2\x80\x99s Lessons Learned Program\nOIG Strategic Goal: Safety\n\nIn 2002, NRC created the Davis-Besse Lessons Learned Task Force to evaluate\nthe agency\xe2\x80\x99s regulatory processes used during the Davis-Besse event.3 The\nDavis-Besse Lessons Learned Task Force recommended, among other things,\nthat NRC conduct an effectiveness review of the actions taken in response\nto past lessons learned reviews. Consequently, the Office of Nuclear Reactor\nRegulation (NRR) established the Effectiveness Review Lessons Learned Task\nForce. This task force found that some corrective actions implemented prior to\nthe Davis-Besse event had not been effective. In response, the EDO assigned\nthe task force to establish a program to institutionalize significant agencywide\nlessons learned.\n\nOn August 1, 2006, the agency issued MD 6.8, Lessons Learned Program, to\nestablish the formal and structured process needed to manage corrective actions\nfor significant agencywide lessons learned. MD 6.8 establishes the process\nfor screening, evaluating, and implementing potential agencywide lessons\nlearned. In accordance with this process, a Lessons Learned Program Manager\nis responsible for compiling potential lessons learned issues. The Program\nManager then schedules a Lessons Learned Oversight Board4 meeting to discuss\nwhether the selected issues should be considered as agencywide lessons learned.\nThe Oversight Board compares the issues to threshold criteria established in\nMD 6.8, and only if the criteria are met can an issue be considered an agency-\nwide lessons learned. Issues that do not meet the lessons learned criteria may be\naddressed by NRC offices through other corrective action mechanisms.\n\nThe EDO assigns a lead NRC office to create and implement a corrective action\nplan when a lesson learned is identified. Once the lead office implements the\ncorrective action plan, the Oversight Board determines if that plan was satis-\nfied. Upon successful completion of the corrective action plan, the Oversight\nBoard determines when the lead office conducts an effectiveness review. When\ncompleted, the Oversight Board reviews and makes recommendations if necessary.\n\nThe audit objective was to determine whether NRC\xe2\x80\x99s agencywide Lessons\nLearned Program meets its intended purpose to ensure that knowledge gained\n3\n    I\x07 n March 2002, plant workers at the Davis-Besse Nuclear Power Station discovered degradation of the\n     pressure boundary material of the Davis-Besse Nuclear Power Station reactor pressure vessel head while\n     conducting a routine repair. This problem led to a leakage of reactor cooling water, which contains boric\n     acid and can damage other areas of the nuclear reactor.\n4\n    \x07 e Oversight Board is composed of deputy office directors from NRR, the Office of New Reactors,\n    Th\n    the Office of Nuclear Material Safety and Safeguards, the Office of Federal and State Materials and\n    Environmental Management Programs, the Office of Nuclear Regulatory Research, the Office of Nuclear\n    Security and Incident Response, and a representative from one of the four NRC regions.\n\n\n\n                                                                                          October 1, 2009-March 31, 2010 | 21\n\x0c                  from significant lessons learned is retained and disseminated in a manner that\n                  will maximize its benefit and usefulness to the staff.\n\n                  Audit Results:\n\n                  Although NRC has identified significant agencywide lessons learned, agency\n                  staff are generally unaware of the program\xe2\x80\x99s lessons and activities.\n\n                  Specifically, staff are unaware of the issues considered for potential agencywide\n                  lessons learned, the lessons learned identified, and who has oversight for the\n                  program. OIG interviewed 24 NRC office points-of-contact identified by the\n                  Office of the Executive Director for Operations and found that 92 percent of the\n                  points of contact had limited knowledge of the program. Furthermore, current\n                  and former Lessons Learned Project Managers and Oversight Board members\n                  were unaware of the status of a database that was developed for the Lessons\n                  Learned Program. The database was intended to serve as a means to commu-\n                  nicate issues considered by the Oversight Board and the identified agencywide\n                  lessons learned that then could be documented and shared with agency staff.\n                  Although the database has been ready for use since November 2008, as of June\n                  2009, the $342,000 system had not been implemented for agencywide use.\n\n                  The Lessons Learned Program could have been more effectively communicated\n                  to staff, and management\xe2\x80\x99s attention to and support for certain aspects of the\n                  program has diminished over time. As a result, the program is missing oppor-\n                  tunities to identify and inform NRC staff of significant agencywide lessons\n                  learned that would improve agency operations. (Addresses All Management and\n                  Performance Challenges)\n\n                  Audit of NRC\xe2\x80\x99s Quality Assurance Planning for\n                  New Reactors\n                  OIG Strategic Goal: Safety\n\n                  NRC regulates the design, siting, construction, and operation of nuclear\n                  power plants. Title 10 Code of Federal Regulations (CFR) Part 52 (Part 52)\n                  establishes the process to apply for a combined license, which, if approved by\n                  the NRC, allows the applicant to construct and operate a nuclear power plant.\n                  The Office of New Reactors (NRO) is responsible for reviewing combined\n                  license applications.\n\n                  Under Part 52, each combined license applicant is required to submit a final\n                  safety analysis report that describes the facility and presents a safety analysis of\n                  the facility as a whole. This report must include a description of the applicant\xe2\x80\x99s\n                  quality assurance program to be applied to the design, fabrication, construc-\n                  tion, and testing of the structures, systems, and components of the facility.\n\n\n22 | NRC OIG Semiannual Report to Congress\n\x0c                                                                 Proposed Locations of New Reactors\nPart 52 references the quality assur-                                   River Bend*\n                                                                        ESBWR - 1 Unit           Grand Gulf*\n                                                                                                 ESBWR - 1 Unit             Callaway*\nance program requirements, which                                             WA\n                                                                                                                            EPR - 1 Unit\n                                                                                                                                                     Fermi\nare described in Title 10 CFR Part 50,                                                      MT                                                                                         ME\n                                                                                                           ND                                        ESBWR - 1 Unit\n                                                                        OR                                                                                                     VT\n                                                                                                                       MN                                                           NH      Nine Mile Point*\nAppendix B (Appendix B). Appendix B\n                                                                                  ID\n                                                                                                           SD                      WI                                     NY         MA     EPR - 1 Unit\n                                                                                             WY                                                     MI                              CT RI\n                                                                                                                                                                                            Bell Bend\n\napplies to all activities affecting safety-                                                                                                                                                 EPR - 1 Unit\n                                                                                                                        IA                                          PA\n                                                                             NV                            NE                                                                  NJ\n                                                                                                                                                         OH             MD\n                                                                                       UT                                               IL     IN                              DE\n\n\nrelated functions of the facility. NRO                             CA\n                                                                                                  CO\n                                                                                                            KS                MO                    KY\n                                                                                                                                                              WV\n                                                                                                                                                                    VA\n                                                                                                                                                                                    Calvert Cliffs\n                                                                                                                                                                                    EPR - 1 Unit\n\nstaff reviews, which include an evalua-\n                                                                                                                                                               NC\n                                                                                                                                               TN                               North Anna\n                                                                                  AZ                              OK                                                            ESBWR - 1 Unit\n                                                                                                 NM                          AR                                     SC\n\n\ntion of quality assurance, are performed\n                                                                                                                                                         GA                  Harris\n                                                                                                                                    MS          AL                           AP1000 - 2 Units\n                                                                                                            TX\n\nin accordance with NUREG-0800, the\n                                                                                                                             LA                                          William Lee\n                                                                                                                                                                         AP1000 - 2 Units\n                                                                                                                                                                   FL\n\nstandard review plan.                                                                                                  Bellefonte\n                                                                                                                       AP1000 - 2 Units\n                                                                                                                                                                      Turkey Point\n                                                                                                                                                                      AP1000 - 2 Units\n                                                                                       Comanche Peak                   Vogtle                             Levy County\n                                                                                       USAPWR - 2 Units                AP1000 - 2 Units                   AP1000 - 2 Units\n\nDuring the application process, appli-                       Victoria County*   South Texas\n                                                             Design/Units - TBA ABWR - 2 Units\n                                                                                                   V.C. Summer\n                                                                                                   AP1000 - 2 Units\n\ncants often conduct activities associated\nwith new nuclear power plant construc-              ABWR  AP1000        EPR      ESBWR         USAPWR       Design/Units - TBA\n\ntion, including developing processes that                         *Review Suspended at the Request of the Applicant\n                                                                                                                                             Source: NRC Office of New Reactors\n\nwill be used during construction, testing,\nand operations; establishing programs for areas such as corrective action, secu-\nrity, and training; and procuring materials and parts. The applicant must provide\noversight of vendor programs if safety-related parts are procured. Many nuclear\nvendors are now foreign-based companies and oversight of these foreign-based\ncompanies can present new challenges, such as overcoming cultural and language\nbarriers.\n\nThe audit objective was to determine the extent to which NRC provides oversight\nof applicant and licensee new nuclear power plant quality assurance programs.\n\nAudit Results:\n\nNRO conducts reviews of applicant quality assurance programs for new nuclear\npower plant design, construction, and operation, as well as reviews of vendor\nquality assurance programs. Given that the interest to build new nuclear power\nplants is in its infancy, NRO is appropriately focusing on quality assurance as it\nrelates to design and procurement activities. OIG has identified areas needing\nmanagement attention while NRO continues its ongoing quality assurance\nreview activities. Specifically:\n\n\xe2\x80\xa2 \t Coordination of quality assurance reviews among NRO branches is informal.\n\n\xe2\x80\xa2 \t NRC\xe2\x80\x99s quality assurance oversight does not include a review for accurate\n    translations.\n\nCoordination of Quality Assurance Reviews Among NRO Branches Is Informal\n\nSections of the standard review plan specify that the responsible technical reviewer\nwill coordinate the applicable quality assurance reviews with the NRO\xe2\x80\x99s quality\n\n\n\n                                                                                                          October 1, 2009-March 31, 2010 | 23\n\x0c                  assurance branches. However, coordination of quality assurance reviews among\n                  the technical reviewers and the quality assurance branch reviewers, when it\n                  occurs, is actually informal communication. Some individual reviewers infor-\n                  mally communicate through phone calls and e-mail, usually to address a specific\n                  issue rather than to coordinate a quality assurance review. For example, OIG\n                  learned that a quality assurance reviewer may ask a technical reviewer to provide\n                  assistance with a technical issue, or to participate in a quality assurance audit or\n                  inspection. Similarly, a technical reviewer may have a question for the quality\n                  assurance branch regarding quality assurance requirements. This interaction is\n                  dependent on the initiative of an individual reviewer.\n\n                  Agency expectations concerning quality assurance review coordination are not\n                  clearly defined and there is no process in place to ensure that it occurs. Conse-\n                  quently, there is no way to verify that the quality assurance review coordination\n                  has occurred, nor that all the quality assurance portions of the standard review\n                  plan technical chapters have been fully satisfied.\n\n                  NRC\xe2\x80\x99s Quality Assurance Oversight Does Not Include Review for Accurate\n                  Translations\n\n                  NRC\xe2\x80\x99s oversight of applicant and licensee quality assurance programs and activi-\n                  ties does not include a review for accurate document translations. Given the\n                  current industry reliance on foreign vendors and sub-suppliers for the design and\n                  manufacture of safety-related components, such as reactor vessels, the accuracy\n                  of translated design basis and other documentation, such as technical manuals,\n                  becomes more relevant for applicants/licensees and NRC alike. Indeed, OIG\n                  discovered one large nuclear vendor with a quality assurance procedure for trans-\n                  lation that it uses in-house for foreign language document translation. The vendor\n                  does not, however, apply the same quality assurance procedure to its foreign\n                  suppliers, and simply requires its suppliers to provide documentation in English,\n                  without regard for the translation process.\n\n                  NRC has undertaken some efforts to assess the impacts of the changing nuclear\n                  industry on its vendor inspection program but it has not fully assessed the impact\n                  of translated document quality on quality assurance oversight. Further, NRC has\n                  not assessed how translated documents from foreign providers of safety-related\n                  systems might impact the quality of safety-related components supplied to new\n                  nuclear power plant applicants and licensees in the United States.\n\n                  Consequently, NRC and its new nuclear power plant applicants and licensees\n                  could be relying on inaccurate translations. Furthermore, the accuracy of trans-\n                  lated documents used for design, construction, and operation of new nuclear\n                  power plants could be called into question. (Addresses Management Challenge #3)\n\n\n\n\n24 | NRC OIG Semiannual Report to Congress\n\x0cAudit of NRC\xe2\x80\x99s Physical Security Inspection Program for\nCategory I Fuel Cycle Facilities\nOIG Strategic Goal: Security\n\nNRC oversees security programs at facilities that manufacture fuel\nfor nuclear reactors. These fuel cycle facilities use \xe2\x80\x9cspecial nuclear\nmaterials\xe2\x80\x9d in the manufacturing process. NRC classifies special\nnuclear materials and the facilities that possess them into three\ncategories based upon the materials\xe2\x80\x99 potential for use in nuclear\nweapons, or \xe2\x80\x9cstrategic significance.\xe2\x80\x9d The three categories are:\n\n\xe2\x80\xa2 \t Category I: High strategic significance.\n\n\xe2\x80\xa2 \t Category II: Moderate strategic significance.\n\n\xe2\x80\xa2 \t Category III: Low strategic significance.\n\nTwo fuel cycle facilities in the United States process Category I\nmaterials into nuclear fuel for the Federal Government. The U.S.\n                                                                          Armed security officers safe-\nNavy, in particular, uses this fuel in nuclear powered ships and\n                                                                          guard fuel cycle facilities and are\nsubmarines. There are no Category II fuel cycle facilities operating\n                                                                          trained according to standards\nin the United States, and Category III facilities are subject to a\n                                                                          specified in Federal Government\ndifferent NRC physical security inspection regime than Category\n                                                                          regulations.\nI facilities because these materials present less risk to public safety   Source: Babcock and Wilcox Nuclear\nand security.                                                             Operations Group\n\nThe main objective of NRC\xe2\x80\x99s oversight program for Category I fuel cycle facili-\nties is to ensure that these facilities operate safely and securely in accordance\nwith NRC requirements. Since the terrorist attacks of September 11, 2001,\nNRC has issued licensees new requirements and guidance to enhance security\nat Category I fuel cycle facilities against sabotage and theft of nuclear materials.\n\nThe audit objective was to assess the effectiveness of the NRC\xe2\x80\x99s physical secu-\nrity inspection program over the protection and control of special nuclear\nmaterial at Category I fuel cycle facilities.\n\nAudit Results:\n\nThe Office of Nuclear Security and Incident Response (NSIR) fulfills its\nresponsibility to conduct physical security inspections at Category I fuel cycle\nfacilities. However, the inspection program faces the following two challenges:\n\n\xe2\x80\xa2 \t Need to provide physical security training for supervisors without previous \t\n    security experience to enhance management oversight of inspections.\n\n\n\n                                                                     October 1, 2009-March 31, 2010 | 25\n\x0c                      \xe2\x80\xa2 \t Inspection guidance has not undergone periodic review to ensure that it\n                          aligns with current NRC security guidance and requirements.\n\n                      Security Training Would Enhance Management Oversight\n\n                                      Federal Government internal control guidance recommends\n                                      that agencies staff positions with qualified personnel and\n                                      provide appropriate training. NRC branch chiefs play an\n                                      important role in overseeing inspection activities; however, the\n                                      branch chiefs responsible for fuel cycle facility physical secu-\n                                      rity inspections are not required to have background experi-\n                                      ence or undergo training in this area. NRC opens branch chief\n                                      positions to generalists to increase the pool of potential job\n                                      candidates, and staff said that branch chiefs can learn through\n                                      on-the-job training and that branch chiefs rely on inspectors\n                                      for technical expertise. In addition, NRC seeks candidates who\nFuel cycle facility personnel\n                                      exhibit leadership and supervisory skills, as well as program-\nprocessing uranium.\n                                      matic and regulatory knowledge.\nSource: Babcock and Wilcox Nuclear\nOperations Group\n                                      Without providing job-specific training to branch chiefs, NRC\n                      faces increased risk that branch chiefs might not be able to fulfill duties such as\n                      training new inspectors and reviewing inspection reports.\n\n                      NRC Has Not Conducted Timely Reviews of Inspection Guidance\n\n                      NRC guidance requires staff to review inspection policies and procedures at\n                      least once every 3 years and to revise them as necessary. However, guidance\n                      for fuel cycle facility physical security inspections has not undergone routine\n                      review and has not been revised to ensure that the guidance is up to date.\n                      Physical security inspectors and headquarters-based NSIR staff said there have\n                      been some efforts to revise inspection guidance, but acknowledged that this\n                      has not occurred in a systematic way. For example, 9 of 34 of the applicable\n                      inspection procedures were issued before 1987 and have not been updated.\n                      Moreover, staff recommended that reviews should address content gaps and\n                      overlaps among some inspection manual chapters and inspection procedures\n                      applicable to the program.\n\n                      Inspection guidance reviews and revisions have not occurred because NRC has\n                      not dedicated resources for this work and the agency has reportedly deferred\n                      some guidance revision pending an ongoing security rulemaking. As a conse-\n                      quence, NRC lacks assurance that physical security inspections are conducted\n                      in accordance with current regulations and requirements, which has the poten-\n                      tial to compromise the agency\xe2\x80\x99s oversight function. (Addresses\n                      Management Challenge #1)\n\n\n\n26 | NRC OIG Semiannual Report to Congress\n\x0cAUDITS IN PROGRESS\nAudit of NRC\xe2\x80\x99s Oversight of Irradiator Security\nOIG Strategic Goal: Security\n\nIrradiators are devices that expose products, such as food and medical supplies,\nto radiation for sterilization and other purposes. Radiation is achieved by the\nexposure to extremely hazardous radioactive sources, such as Cobalt-60. NRC has\nlong participated in efforts to address radioactive source protection and security.\nHowever, the terrorist attacks of September 11, 2001, heightened concerns about\nthe use of risk-significant radioactive materials in a malevolent act. Any loss of\nthis material, whether inadvertent or through a deliberate act, may result in signif-\nicant adverse impacts that could constitute a threat to the public health and safety\nor the common defense and security of the United States.\n\nNRC has enhanced security measures by developing orders requiring\nincreased security of irradiators and other radiological materials of concern.\nThese security orders supplement existing regulatory requirements. NRC is\ncurrently in the rulemaking process to adopt the orders into regulation.\n\nThe objective of this audit is to determine the adequacy of NRC\xe2\x80\x99s oversight of\nindustrial irradiator security. (Addresses Management and Performance\nChallenge #1)\n\nAudit of NRC\xe2\x80\x99s Non-Concurrence Process\nOIG Strategic Goal: Safety\n\nNRC managers and staff have various mechanisms for expressing their views\nabout agency decisions. The Non-Concurrence Process applies to all docu-\nments undergoing concurrence and applies equally to administrative issues,\npolicy issues, and technical concerns. The objectives of the Non-Concurrence\nProcess are to (1) promote discussion and consideration of differing views\non documents in the concurrence process, (2) provide a non-concurrence\noption for individuals with concerns about documents in the concurrence\nprocess that they had a role in creating or reviewing, and (3) provide a uniform\napproach to processing non-concurrences.\n\nAccording to a former Executive Director for Operations, \xe2\x80\x9cNon-concurrence\nshould be viewed as a routine option in the NRC\xe2\x80\x99s document concurrence\nprocess. All employees have a responsibility to raise concerns as early as\npossible in the document preparation and review process, engage in\ndiscussions and seek solutions before non-concurrences are initiated. The\nNon-Concurrence Process is another tool the agency can use to foster an\n\n\n                                                                     October 1, 2009-March 31, 2010 | 27\n\x0c                  environment in which the views of all employees are welcome, even when they\n                  differ from those of management.\xe2\x80\x9d\n\n                  The audit objective is to assess the effectiveness of how NRC dispositions issues\n                  objected to through the Non-Concurrence Process. (Addresses Management\n                  and Performance Challenge #2)\n\n                  Audit of NRC\xe2\x80\x99s Deployment of the National Source\n                  Tracking System\n                  OIG Strategic Goal: Security\n\n                  The National Source Tracking System (NSTS) is a data system developed by\n                  NRC to monitor licensees\xe2\x80\x99 inventories and transactions of Category 1 and\n                  Category 2 radiological sources. NRC deployed NSTS in December 2008, and\n                  licensees were required to begin reporting source transactions using NSTS by\n                  January 2009. In addition, NRC requires licensees to reconcile their physical\n                  inventories with NSTS inventory data on an annual basis. To facilitate public\n                  use, NSTS enables licensees to enter source data directly into the system via\n                  secure Internet connection. However, an NRC regulatory analysis completed in\n                  June 2009 shows that licensees tend to submit source data to NRC by fax. This\n                  requires NRC staff and/or contractors to enter source data into NSTS on behalf\n                  of licensees, and may increase support costs relative to NRC\xe2\x80\x99s initial projections.\n\n                  NSTS is a congressionally mandated project, and NRC regards it as critical\n                  for enhancing accountability of radiological sources that could pose a public\n                  health and safety threat if lost or stolen. Moreover, the Commission voted in\n                  June 2009 against expanding NSTS to include Category 3 radiological sources\n                  pending more information regarding NRC and licensee experience in using\n                  NSTS to track Category 1 and Category 2 sources.\n\n                  The audit objective is to determine if NSTS meets its required operational\n                  capabilities. (Addresses Management and Performance Challenge #5)\n\n                  Audit of NRC\xe2\x80\x99s Process for Closed Meetings\n                  OIG Strategic Goal: Security\n\n                  Nuclear regulation is the public\xe2\x80\x99s business and must be transacted publicly\n                  and candidly. The public must be informed about and have the opportunity to\n                  participate in the regulatory process as required by law. NRC has long recog-\n                  nized the importance and value of public communication and involvement\n                  as a cornerstone of fair regulation of the nuclear industry, and the agency has\n                  sought to include the public in various ways, including public meetings.\n\n\n\n28 | NRC OIG Semiannual Report to Congress\n\x0cThere are times, however, when NRC\xe2\x80\x99s policy dictates that the agency conduct\nmeetings with licensees that are closed to the public. Meetings are closed when\nthe discussions include preliminary, pre-decisional, or unverified information.\nThis policy applies solely to NRC staff-sponsored and staff-conducted meetings\nand not to meetings conducted by external organizations. It does not apply to\nthe Commission or offices that report directly to the Commission or to meet-\nings between NRC staff and State government representatives. It also does not\napply to meetings involving enforcement matters or settlement conferences.\n\nA public perception is that NRC\xe2\x80\x99s process for closed meetings gives licensees\npreferential treatment, particularly with regard to release of information. As a\nresult, it is not always clear that NRC is conducting agency business in a trans-\nparent manner.\n\nThe audit objective is to determine if NRC\xe2\x80\x99s process for closed meetings\nhinders the transparent transaction of nuclear regulation. (Addresses Manage-\nment and Performance Challenge #2)\n\nAudit of NRC\xe2\x80\x99s Vendor Inspection Program\nOIG Strategic Goal: Safety\n\nAppendix B to 10 CFR 50 establishes quality assurance requirements for the\ndesign, construction, and operation of structures, systems, and components\nthat prevent or mitigate the consequences of postulated accidents. (These\nrequirements are also referenced by 10 CFR 52.) Quality assurance comprises\nall activities necessary to provide adequate confidence that a structure, system,\nor component will perform satisfactorily in service. Among other things, these\nquality assurance activities include design, fabrication, purchasing, storing,\ntesting, and installation of components.\n\nNRC is responsible for ensuring that suppliers of nuclear safety-related struc-\ntures, systems, and components engage in suitable quality assurance activities.\nFor NRC to ensure that nuclear suppliers maintain adequate quality assurance\nprograms, it is first necessary to know which domestic and global suppliers are\nproviding components to licensees, and then it is essential to perform inspec-\ntions of their quality assurance programs.\n\nThe audit objective is to assess NRC\xe2\x80\x99s regulatory approach for ensuring the\nintegrity of domestic and global parts and services supplied to nuclear power\nreactors. (Addresses Management and Performance Challenge #3)\n\n\n\n\n                                                                  October 1, 2009-March 31, 2010 | 29\n\x0c                  Audit of NRC\xe2\x80\x99s Management Controls Over the\n                  Placement and Monitoring of Work With Department\n                  of Energy Laboratories\n                  OIG Strategic Goal: Corporate Management\n\n                  During FY 2008 and FY 2009 (as of March 31, 2009), NRC obligated\n                  approximately $92 million and $23 million, respectively, for agreements with\n                  Department of Energy (DOE) laboratories. MD 11.7, NRC Procedures for\n                  Placement of Work With the U.S. Department of Energy, states, \xe2\x80\x9cIt is the policy\n                  of the U.S. Nuclear Regulatory Commission that work placed with the U.S.\n                  Department of Energy be managed effectively.\xe2\x80\x9d\n\n                  The MD and associated handbook specify the interagency responsibilities,\n                  authorities, and procedures for placement and monitoring of work with DOE\n                  and its contractors. The objectives of MD 11.7 are to ensure (1) that procedures\n                  for negotiating and managing agreements with DOE are consistent with sound\n                  business practices and contracting principles; (2) uniform application of an\n                  agencywide standard of contract management for projects placed with DOE;\n                  and (3) that a framework exists for program management control, administra-\n                  tion, monitoring, and closeout of projects placed with DOE.\n\n                  The audit objective is to determine whether NRC has established and\n                  implemented an effective system of internal control over the placement\n                  and monitoring of work with DOE laboratories. (Addresses Management\n                  and Performance Challenge #6)\n\n                  Audit of NRC\xe2\x80\x99s FY 2010 Financial Statements\n                  OIG Strategic Goal: Corporate Management\n\n                  Under the Chief Financial Officers Act and the Government Management and\n                  Reform Act, the OIG is required to audit the financial statements of the NRC.\n                  OIG measures the agency\xe2\x80\x99s improvements by assessing corrective action taken\n                  on prior audit findings. The report on the audit of the agency\xe2\x80\x99s financial\n                  statements is due on November 15, 2010. In addition, the OIG will issue\n                  reports on:\n\n                  \xe2\x80\xa2 \t Special Purpose Financial Statements.\n\n                  \xe2\x80\xa2 \t Implementation of the Federal Managers\xe2\x80\x99 Financial Integrity Act.\n\n                  \xe2\x80\xa2 \t Condensed Financial Statements.\n\n\n\n\n30 | NRC OIG Semiannual Report to Congress\n\x0cThe audit objectives are to:\n\n\xe2\x80\xa2 \t Express opinions on the agency\xe2\x80\x99s financial statements and internal controls.\n\n\xe2\x80\xa2 \t Review compliance with applicable laws and regulations.\n\n\xe2\x80\xa2 \t Review the controls in the NRC\xe2\x80\x99s computer systems that are significant to\n    the financial statements.\n\n\xe2\x80\xa2 \t Assess the agency\xe2\x80\x99s compliance with OMB Circular A-123, Revised,\n    Management\xe2\x80\x99s Responsibility for Internal Control.\n\n(Addresses Management and Performance Challenge #6)\n\nAudit of NRC\xe2\x80\x99s Telework Program\nOIG Strategic Goal: Corporate Management\n\nPublic Law 106-345, Section 356, states, \xe2\x80\x9cEach executive agency shall establish\na policy under which employees of the agency may participate in telecom-\nmuting to the maximum extent possible without diminishing employee perfor-\nmance.\xe2\x80\x9d Telework benefits employers and employees through reduced costs\nand increased productivity. Telework can also play a critical role in Continuity\nof Operations activities. Recent events have necessitated a need for Continuity\nof Operations planning. This planning is intended to ensure that essential\nfunctions can continue during and after a disaster. A social benefit is also\ngained from telework with the reduction of traffic and pollution. The agency\nexpects to grow from about 3,600 employees in FY 2008 to more than 4,000 by\nFY 2010. This growth will place a premium on office space and equipment.\n\nNRC has a Flexible Workplace Program (Flexiplace) that allows employees in\neligible positions to apply for a fixed-schedule telework arrangement. Under\nFlexiplace, employees may work at home or at an offsite location, for up to 3\ndays per week, with the approval of their office director or regional adminis-\ntrator. Alternatively, employees can request to participate in Flexiplace under a\nproject-based schedule.\n\nThe audit objectives are to determine (1) if NRC\xe2\x80\x99s telework program complies\nwith relevant law and OPM guidance, (2) the adequacy of internal controls\nassociated with the telework program, and (3) NRC\xe2\x80\x99s readiness to have staff\ntelework under emergency situations. (Addresses Management and\nPerformance Challenge #7)\n\n\n\n\n                                                                  October 1, 2009-March 31, 2010 | 31\n\x0c                  Audit of NRC Employee Use of Federal Calling Cards\n                  OIG Strategic Goal: Corporate Management\n\n                  NRC costs associated with employee use of Federal Calling cards have\n                  increased significantly over the past several years. In FY 2007, 2,354 employees\n                  had calling cards, and NRC spent $20,388 for 389,687 minutes of card use. In\n                  FY 2008, employee use of the cards increased by about 400 percent over FY\n                  2007 levels, with NRC spending $100,490 for 1,793,167 minutes of card use.\n                  FY 2009 usage is projected to increase by 30 percent over the FY 2008 level. As\n                  of May 2009, the agency had already spent $108,199 for 1,869,708 minutes of\n                  use. Currently, it costs about 6 cents a minute to use the cards.\n\n                  NRC guidance on calling card use states that on domestic travel, employees\n                  may use the cards for official business calls and for either one 30-minute phone\n                  call home or two 10-minute phone calls home per day. For foreign travel, NRC\n                  permits one 5-minute call home three times within a 7-day period.\n\n                  A recent audit at the Internal Revenue Service found a lack of controls over\n                  calling card use and identified excessive spending on international calls and in\n                  connection with teleconferences.\n\n                  The audit objective is to determine whether NRC has established and imple-\n                  mented an effective system of internal control over the use of Federal calling\n                  cards. (Addresses Management and Performance Challenge #6)\n\n\n\n\n32 | NRC OIG Semiannual Report to Congress\n\x0cInvestigations\nDuring this reporting period, OIG received 100 allegations, initiated 19 inves-\ntigations, and closed 17 cases. In addition, the OIG made 20 referrals to NRC\nmanagement and 8 to the Department of Justice.\n\nINVESTIGATIVE CASE SUMMARIES\nPatients\xe2\x80\x99 Rights Advocate\nOIG Strategic Goal: Corporate Management\n\nOIG conducted an investigation based on a letter from a former NRC\nemployee to the NRC Commission regarding the February 2007 appoint-\nment of an individual to serve as the Patients\xe2\x80\x99 Right Advocate to the Advisory\nCommittee on the Medical Uses of Isotopes (ACMUI). The ACMUI was estab-\nlished in 1958 and advises the NRC on policy and technical issues related to\nthe regulation of the medical use of radioactive material. The letter from the\nformer NRC employee alleged that the NRC staff forwarded the individual\xe2\x80\x99s\nname to the Commission for approval without conveying certain information\nthat would have demonstrated that the individual recommended was not an\nappropriate choice for the Patients\xe2\x80\x99 Right Advocate position. Specifically, the\nformer NRC employee maintained that (1) NRC staff concealed that the indi-\nvidual recommended for the ACMUI Patients\xe2\x80\x99 Right Advocate was a senior\nDOE official, and (2) a NRC press release announcing the appointment of the\nPatients\xe2\x80\x99 Right Advocate cited this individual\xe2\x80\x99s involvement in the American\nAssociation of Cancer Patients, which was a fictitious organization.\n\nThis investigation determined that the NRC selected the individual for the\nPatients\xe2\x80\x99 Right Advocate in February 2007 based on his experience with\npatient rights and counseling and his experience as a health physicist. The indi-\nvidual\xe2\x80\x99s career achievements were reviewed by an NRC screening panel, which\ndetermined that he was the most qualified applicant for the position before\nforwarding the individual\xe2\x80\x99s name to the Commission for review. OIG found\nthat these actions were in accordance with NRC\xe2\x80\x99s process for selecting ACMUI\nmembers.\n\nThis investigation also determined that the individual selected for the Patients\xe2\x80\x99\nRight Advocate in February 2007 was not a senior DOE official, but at the time\nof his appointment had been employed as a contactor for a DOE national labo-\nratory since 1978. OIG also determined that an NRC press release incorrectly\nreferred to the American Association of Cancer Patients instead of another\npatient advocacy organization with a similar name. (Addresses Management\nand Performance Challenge #7)\n\n\n\n                                                                   October 1, 2009-March 31, 2010 | 33\n\x0c                     ADAMS Citrix Intrusion\n                     OIG Strategic Goal: Security\n\n                     OIG\xe2\x80\x99s Computer Crimes Unit (CCU) conducted an investigation into an alle-\n                     gation from the NRC Computer Security Office (CSO) of an attempted intru-\n                     sion of the Agencywide Documents Access Management System (ADAMS)\n                     Citrix server when antivirus software located password-cracking software on\n                     the system. ADAMS is an information system that provides access to all image\n                     and text documents that the NRC has made public since November 1, 1999, as\n                     well as bibliographic records (some with abstracts and full text) that the NRC\n                     made public before November 1999.\n\n                     The OIG CCU forensically reviewed the server and no pertinent information\n                     was found for the reported password cracking software because the antivirus\n                     software quarantined and removed it. Additional investigative analysis of\n                     the server revealed that a different password cracking software program had\n                     also been placed on the Citrix system. The CCU identified Internet Protocol\n                     addresses connected to the Citrix server when the malicious software was\n                     uploaded. The CCU was unable to determine the identity of the individual(s)\n                     who placed the malicious software on the Citrix server because it appeared the\n                     network intruders masked their identities by surreptitiously taking control of\n                     another individual\xe2\x80\x99s computer. (Addresses Management and Performance\n                     Challenge #6)\n\n                     Spear Phishing Attack on NRC\n                     OIG Strategic Goal: Security\n\n                     OIG\xe2\x80\x99s CCU conducted an investigation into an allegation from the NRC CSO\n                     of a spear phishing attack in which 17 NRC computer users were targeted.\n                                                    The e-mail address was similar to the name of\n                                                    an NRC employee. OIG CCU found that this\n                                                    spear phishing attack originated from an over-\n                                                    seas location. The individuals involved gained\n                                                    access through an insecure auto parts store\xe2\x80\x99s\n                                                    server and utilized it to open a Yahoo! e-mail\n                                                    account using the name of an NRC employee.\n                                                    This e-mail account was then used to send spear\n                                                    phishing e-mails to members of the NRC staff,\n                                                    triggering the download of the malicious soft-\n                                                    ware. (Addresses Management and Performance\n                                                    Challenge #6)\nPhoto illustration of digitized lock with binary code\nand circuit board.\n\n\n34 | NRC OIG Semiannual Report to Congress\n\x0cNRC Response to H&I Complaint\nOIG Strategic Goal: Safety\n\nOIG completed an investigation concerning a former licensee employee\xe2\x80\x99s\nharassment and intimidation (H&I) complaint against the individual\xe2\x80\x99s former\nemployer. The individual raised the concern to NRC\xe2\x80\x99s OI, which closed\nthe investigation after the individual reached a settlement with the former\nemployer. The alleger maintained that OI should not have closed the case, but\nshould have continued its investigation into the H&I complaint against the\nlicensee company.\n\nOIG learned that the former licensee employee raised the H&I complaint\nto OI after choosing not to follow NRC\xe2\x80\x99s Alternative Dispute Resolution\n(ADR) process to pursue the matter. ADR is a term that refers to a number of\nprocesses, such as mediation and facilitated dialogue, which can be used to\nassist parties in resolving disputes.\n\nAfter the individual raised the H&I complaint to OI, that office opened\nan investigation and attempted to interview the individual concerning the\ncomplaint. However, before OI investigators had the opportunity to interview\nthe individual, OI was notified that a settlement agreement had been reached\nbetween the parties and that NRC had reviewed the agreement and found it\nacceptable. OI subsequently closed the investigation on the basis that a settle-\nment agreement had been reached and no further investigation was warranted.\n\nAfter OI decided to close the case with no further investigation, NRC sent\ntwo letters to the individual with explanations concerning the rationale for\nclosing the OI case. One letter, from NRC\xe2\x80\x99s Office of Enforcement, stated that\n\xe2\x80\x9calthough the settlement was reached outside of NRC\xe2\x80\x99s ADR process, we can\naccept such settlements in lieu of an OI investigation per NRC policy.\xe2\x80\x9d The\nsecond letter, sent by the Office of Nuclear Reactor Regulation, stated that\n\xe2\x80\x9cNRC\xe2\x80\x99s policy regarding ADR is such that if the parties agree to mediate a\ndiscrimination complaint and reach settlement through that process, whether\nADR or through some other process, the NRC will not initiate an investigation\ninto the complaint.\xe2\x80\x9d While both letters suggested that OI would not conduct\na case if a settlement was reached via ADR, these explanations did not seem\nentirely applicable because OI had already opened its investigation into the\nH&I matter.\n\nOIG reviewed OI\xe2\x80\x99s investigative procedures manual and interviewed a senior\nOI official to ascertain why OI closed the case. The senior official explained\nthat while OI assigned the H&I allegation a case number, the office never\n\n\n\n\n                                                                 October 1, 2009-March 31, 2010 | 35\n\x0c                  \xe2\x80\x9cinitiated\xe2\x80\x9d an investigation because the preliminary interview with the alleger\n                  never occurred due to delays on the alleger\xe2\x80\x99s side. The OI official said that if\n                  OI had conducted a preliminary interview on the record and NRC\xe2\x80\x99s attorneys\n                  determined there was prima facie evidence regarding the allegation, then OI\n                  would have continued the investigation even if a settlement were reached.\n\n                  Based on the details of this case, NRC officials agreed that the initial letter sent\n                  to allegers should better articulate the relationship between settlement of alle-\n                  gations and OI involvement in a case. Agency officials said that as a result of\n                  the agency\xe2\x80\x99s experience with this matter, they will be including more concise\n                  language in their ADR letter sent to allegers. (Addresses Management and\n                  Performance Challenge #1)\n\n                  NRC Oversight of Nuclear Fuel Services\n                  OIG Strategic Goal: Safety\n\n                  OIG conducted an investigation involving six separate allegations concerning\n                  NRC\xe2\x80\x99s oversight of NFS, an NRC licensee located in Erwin, Tennessee, that\n                  manufactures and processes nuclear reactor fuel for commercial purposes and\n                  for the military. The allegations were conveyed from concerned individuals to\n                  OIG during a series of meetings.\n\n                  Three of the allegations challenged whether NRC followed its own rules and\n                  policies with regard to approval of an NFS license amendment, withholding of\n                  information to the public, and handling of an allegation against a senior NFS\n                  official. Each of these three allegations had been investigated and substantiated\n                  by OIG prior to being raised by concerned individuals during the OIG meet-\n                  ings. In the first case, OIG found that NRC approved a license amendment\n                  before the deadline for public comment. However, an agency official explained\n                  that in accordance with the Atomic Energy Act, the adjudication process is\n                  separate from the regulatory review process. Therefore, the official said, NRC\n                  may issue a licensing action prior to the expiration of the public comment\n                  period because the agency can later rescind its licensing actions as a result of\n                  adjudication action. In the second case, OIG found that the agency misapplied\n                  its June 2004 policy to withhold from the public all information on Depart-\n                  ment of Energy naval reactor activities involving NFS. The June 2004 policy\n                  directed NRC staff to designate all future correspondence with NFS related to\n                  the naval reactor programs as Official Use Only and withhold it from public\n                  disclosure. OIG found that instead of withholding only the naval reactor-\n                  related information, NRC withheld information on all activities, regardless of\n                  whether the information related to naval reactor or commercial operations. In\n\n\n\n\n36 | NRC OIG Semiannual Report to Congress\n\x0cSeptember 2007, NRC placed all previously withheld documents on the NRC\npublic Web site for 60 days. In the third case, OIG found that in March 2006,\nNRC Region II improperly referred to the licensee an allegation that a senior\nNFS official attended a force-on-force exercise under the influence of alcohol.\nNRC allegation guidance states that an allegation should not be referred to a\nlicensee if it is made against the licensee\xe2\x80\x99s management or those parties who\nwould normally receive and address the allegation. This referral was not in\naccordance with agency guidance because the subject was a licensee high-level\nmanagement official and was typically responsible for receiving and handling\nNRC allegation referrals.\n\nThe remaining three NFS-related allegations raised by concerned individuals\nwere not substantiated by OIG. One, addressed in a previous OIG case,\nalleged that the Department of Health and Human Services Agency for Toxic\nSubstances and Disease Registry (ATSDR) was influenced by NRC to find\nthat the NFS facility was not a significant health hazard. ATSDR conducts\npublic health assessments of sites on the Environmental Protection Agency\xe2\x80\x99s\nNational Priorities List to determine if people are being exposed to hazardous\nsubstances. ATSDR assessed NFS and ranked the site as \xe2\x80\x9cNo apparent health\nhazard.\xe2\x80\x9d OIG learned that when NRC Region II was informed of ATSDR\xe2\x80\x99s\nintent to assess NFS, Region II offered its assistance. However, ATSDR did not\naccept any input or assistance from NRC in its assessment of NFS. The second\nallegation, also addressed in a previous OIG case, stated that an NRC inspector\nat NFS was reassigned because he pursued his NRC assignment with too\nmuch rigor. OIG learned that, in fact, the inspector left the NFS position after\napplying for and receiving a promotion to another NRC position.\n\nThe third unsubstantiated allegation pertained to NRC\xe2\x80\x99s enforcement of a 2007\nconfirmatory order that required NFS to undertake an independent review of\nits safety culture. OIG learned that by January 2010, NRC had completed four\nperformance reviews at NFS, the last of which had been conducted in August\n2009. In these assessments, NRC staff noted that NFS continued to implement\nits safety culture improvement plan. (Addresses Management and Performance\nChallenges #1 and #2)\n\n\n\n\n                                                                 October 1, 2009-March 31, 2010 | 37\n\x0cSummary of OIG Accomplishments\n        INVESTIGATIVE STATISTICS\n        Source of Allegations \xe2\x80\x94 October 1, 2009, through March 31, 2010\n                      NRC Employee                                                              22\n\n                  NRC Management                3\n        Other Government Agency                 3\n\n                          Intervenor                        6\n\n                      General Public                                                           20\n            OIG Investigation/Audit                 4\n                 Regulated Industry                     5\n                        Anonymous                                                                     26\n                         OIG Project                        7\n\n                          Contractor                4\n\n                                        Allegations resulting from Hotline calls: 55\n\n                                                                                   Total 100\n\n\n        Disposition of Allegations \xe2\x80\x94 October 1, 2009, through March 31, 2010\n                                             Total                                              100\n\n                          Closed Administratively                             38\n\n                  Referred for OIG Investigation                         19\n        Referred to NRC Management and Staff                             20\n\n                          Pending Review Action                     12\n                      Correlated to Existing Case               6\n\n                       Allegations Under Review             5\n\n\n\n\n38 | NRC OIG Semiannual Report to Congress\n\x0cStatus of Investigations\nDOJ Referrals .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 8\nDOJ Pending .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 1\nDOJ Declinations  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7\nNRC Administrative Actions:\n\t Terminations and Resignations  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 1\n\t Suspensions and Demotions .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 2\n\t Counseling .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4\n\t Other .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 2\n\n\nSummary of Investigations\nClassification of \t\t           Opened \t Closed \t Cases In\nInvestigations\t     Carryover\t Cases\t   Cases\t Progress\n\nConflict of Interest\t                  1\t                                         0\t              0\t              1\nExternal Fraud\t                        4\t                                         1\t              0\t              5\nFalse Statements \t                     0\t                                         1\t              0\t              1\nMisuse of Government Property\t         2\t                                         1\t              2\t              1\nEmployee Misconduct \t                 10\t                                         9\t              2\t             17\nManagement Misconduct\t                 2\t                                         3\t              0\t              5\nMishandling of Technical Allegations\t 7\t                                          0\t              3\t              4\nWhistleblower Reprisal\t                3\t                                         0\t              2\t              1\nProactive Initiatives \t                2\t                                         1\t              1\t              2\nMiscellaneous\t                         3\t                                         0\t              3\t              0\nTechnical Allegations\t                 3\t                                         0\t              2\t              1\nProjects\t                              7\t                                         3\t              2\t              8\nManagement Implication Report\t         1\t                                         0\t              0\t              1\nEvent Inquiries\t                       2\t                                         0\t              0\t              2\n\t\t\t Total Investigations\t             47\t                                        19\t             17\t             49\n\n\n\n\n                                                                                                       October 1, 2009-March 31, 2010 | 39\n\x0c                  AUDIT LISTINGS\n                  Internal Program Audit and Special Evaluation Reports\n                  Date\t         Title\t                                         Audit Number\n                  11/03/2009\t Audit of NRC\xe2\x80\x99s Physical Security Inspection\n                  \t           Program for Category 1 Fuel Cycle Facilities\t    OIG-10-A-01\n                  11/10/2009\t Results of the Audit of the United States Nuclear\n                  \t           Regulatory Commission\xe2\x80\x99s Financial Statements for\n                  \t           Fiscal Years 2009 and 2008 \t                      OIG-10-A-05\n                  11/16/2009\t Audit of NRC\xe2\x80\x99s Quality Assurance Planning for\n                  \t           New Reactors\t                                    OIG-10-A-02\n                  11/16/2009\t   Independent Auditor\xe2\x80\x99s Report on the U.S. Nuclear\n                  \t             Regulatory Commission\xe2\x80\x99s Special Purpose Financial\n                  \t             Statements as of September 30, 2008, and for the\n                  \t             Years Then Ended\t                                OIG-10-A-06\n                  11/17/2009\t Memorandum Report: Audit of NRC\xe2\x80\x99s\n                  \t           Management Directive 6.8, Lessons Learned\n                  \t           Program\t                                         OIG- 10-A-03\n                  11/17/2009\t Independent Evaluation of NRC\xe2\x80\x99s Implementation\n                  \t           of the Federal Information Security Management\n                  \t           Act for Fiscal Year 2009\t                      OIG-10-A-04\n                  01/14/2010\t Independent Auditor\xe2\x80\x99s Report on the Condensed\n                  \t           Financial Statements\t                         OIG-10-A-07\n                  01/22/2010\t Audit of NRC\xe2\x80\x99s Use of Electronic Submissions for\n                  \t           Combined License Applications\t                   OIG-10-A-08\n                  02/23/2010\t Audit of NRC\xe2\x80\x99s Personnel Security Clearance\n                  \t           Program for Employees \t                          OIG-10-A-09\n                  03/11/2010\t Memorandum Report: Review of Implementation\n                  \t           of the Federal Managers\xe2\x80\x99 Financial Integrity Act\n                  \t           for Fiscal Year 2009-March 11, 2010\t             OIG-10-A-10\n                  03/16/2010\t Social Engineering Assessment Report\xe2\x80\x93\t           OIG-10-A-11\n                  \t           Official Use Only\xe2\x80\x93Security Related Information\n\n\n\n\n40 | NRC OIG Semiannual Report to Congress\n\x0cContract Audit Reports\nOIG\t          Contractor/\t                Questioned\t   Unsupported\nIssue Date\t   Contract Number\t              Costs\t         Costs\n\n03/31/10\t     Dade Moeller & Associates\n\t             NRC-04-07-112\t                  0\t               0\n\n\n\n\n                                                        October 1, 2009-March 31, 2010 | 41\n\x0c    Audit Resolution Activities\nTABLE I\nOIG Reports Containing Questioned Costs5\nOctober 1, 2009, through March 31, 2010\n\t\t                                                                                           Questioned\t        Unsupported\n\t        Number of\t                                                                             Costs\t             Costs\nReports\t  Reports\t                                                                            (Dollars)\t         (Dollars)\n\nA.\t       For which no management decision\n          had been made by the commencement\n          of the reporting period\t                                         0\t                        0\t              0\n\nB.\t       Which were issued during the\n          reporting period\t                                                0\t                        0\t              0\n\n\t         Subtotal (A + B)\t                                                0\t                        0\t              0\n\nC.\t       For which a management decision was\n          made during the reporting period:\n\n\t         (i) \t dollar value of disallowed costs\t                          0\t                        0\t              0\n\n\t         (ii)\t dollar value of costs not disallowed\t                      0\t                        0\t              0\n\nD.\t       For which no management decision\n          had been made by the end of the\n          reporting period\t                                                0\t                        0\t              0\n\nE.\t       For which no management decision was\n          made within 6 months of issuance\t                                0\t                        0\t              0\n\n\n5\n    \x07 uestioned costs are costs that are questioned by the OIG because of an alleged violation of a provision\n    Q\n    of a law, regulation, contract, grant, cooperative agreement, or other agreement or document governing\n    the expenditure of funds; a finding that, at the time of the audit, such costs are not supported by\n    adequate documentation; or a finding that the expenditure of funds for the intended purpose is unnec-\n    essary or unreasonable.\n\n\n\n\n42 | NRC OIG Semiannual Report to Congress\n\x0cTABLE II\nOIG Reports Issued with Recommendations That Funds Be Put\nto Better Use6\n\t                                                                          Number of\t            Dollar Value\nReports\t                                                                    Reports\t              of Funds\n\nA.\t       For which no management decision\t 0\t 0\n          had been made by the commencement\n          of the reporting period\t\t\t\n\nB.\t       Which were issued during the \t 0\t                                                              0\n          reporting period\t\t\n\nC.\t       For which a management decision was\t\n          made during the reporting period:\t\t\n\n\t             (i) \t dollar value of recommendations\t                             0\t                      0\n          \t         that were agreed to by management\n\n\t          (ii) \tdollar value of recommendations \t                               0\t                      0\n           \t that were not agreed to by management\n\nD.\t       For which no management decision had\t                                  0\t                      0\n          been made by the end of the reporting\n          period\n\nE.\t       For which no management decision was\t 0\t 0\n          made within 6 months of issuance\t\t\t\n          \t\n\n6\n    \x07\x07A \xe2\x80\x9crecommendation that funds be put to better use\xe2\x80\x9d is a recommendation by the OIG that funds could\n      be used more efficiently if NRC management took actions to implement and complete the recommenda-\n      tion, including: reductions in outlays; deobligation of funds from programs or operations; withdrawal\n      of interest subsidy costs on loans or loan guarantees, insurance, or bonds; costs not incurred by imple-\n      menting recommended improvements related to the operations of NRC, a contractor, or a grantee;\n      avoidance of unnecessary expenditures noted in preaward reviews of contract or grant agreements; or\n      any other savings which are specifically identified.\n\n\n\n\n                                                                                         October 1, 2009-March 31, 2010 | 43\n\x0cTABLE III\nSignificant Recommendations Described in Previous\nSemiannual Reports on Which Corrective Action Has\nNot Been Completed\nDate\t       Report Title\t                                                  Number\n\n05/26/03\t   Audit of NRC\xe2\x80\x99s Regulatory Oversight of Special \t             OIG-03-A-15\n\t           Nuclear Materials\n\n\t           Recommendation 1: Conduct periodic inspections to\n\t           verify that material licensees comply with material\n\t           control and accountability (MC&A) requirements,\n\t           including, but not limited to, visual inspections of\n\t           licensees\xe2\x80\x99 special nuclear material (SNM) inventories\n\t           and validation of reported information.\t\t\n\n09/26/06\t   Evaluation of NRC\xe2\x80\x99s Use of Probabilistic Risk Assessment \t   OIG-06-A-24\n\t           in Regulating the Commercial Nuclear Power Industry\n\n\t           Recommendation 3: Conduct a full verification and\n\t           validation of SAPHIRE version 7.2 and GEM.\n\n09/06/07\t   Audit of NRC\xe2\x80\x99s License Renewal Program \t                     OIG-07-A-15\n\n\t           Recommendation 7: Establish a review process to\n\t           determine whether or not Interim Staff Guidance meets\n\t           the provisions of 10 CFR 54.37(b), and document accordingly.\n\n\n\n\n44 | NRC OIG Semiannual Report to Congress\n\x0cAbbreviations and Acronyms\nACMUI\t   Advisory Committee on the Medical Uses of Isotopes\nADAMS\t   Agencywide Documents Access and Management System\nADR\t     Alternative Dispute Resolution\nATSDR\t   Agency for Toxic Substances and Disease Registry\nCCU\t     Computer Crimes Unit (OIG)\nCFR\t     Code of Federal Regulations\nCIGIE\t   Council of Inspectors General for Integrity and Efficiency\nCSO\t     Computer Security Office (NRC)\nDOE\t     U.S. Department of Energy\nEDO\t     Executive Director for Operations\nFCA\t     False Claims Act\nFISMA\t   Federal Information Security Management Act\nFY\t      fiscal year\nH&I\t     harassment and intimidation\nIAM\t     Issue Area Monitor\nIG\t      Inspector General\nIMPEP\t   Integrated Materials Performance Evaluation Program\nMD\t      Management Directive\nNFS\t     Nuclear Fuel Services, Inc.\nNMED\t    Nuclear Material Events Database\nNR\t      naval reactor\nNRC \t    U.S. Nuclear Regulatory Commission\nNRO\t     Office of New Reactors (NRC)\nNRR\t     Office of Nuclear Reactor Regulation (NRC)\nNSIR\t    Office of Nuclear Security and Incident Response (NRC)\nNSTS\t    National Source Tracking System\nOGC\t     Office of the General Counsel (NRC)\nOI\t      Office of Investigations (NRC)\nOIG \t    Office of the Inspector General (NRC)\nOMB\t     Office of Management and Budget\nOPM\t     Office of Personnel Management\nPII\t     personally identifiable information\nPSB\t     Personnel Security Branch (NRC)\nSAIC\t    Science Application International Corporation\nSBCR\t    Office of Small Business and Civil Rights\nSSA\t     Senior Special Agent\n\n\n\n                                                            October 1, 2009-March 31, 2010 | 45\n\x0cReporting Requirements\n                  The Inspector General Act of 1978, as amended, specifies reporting require-\n                  ments for semiannual reports. This index cross-references those requirements\n                  to the applicable pages where they are fulfilled in this report.\n\n\n                  Citation\t               Reporting Requirements\t                                                  Page\n\n                  Section 4(a)(2) Review of Legislation and Regulations..................................... 6-9\n\n                  Section 5(a)(1) Significant Problems, Abuses, and Deficiencies.......14-26, 33-37\n\n                  Section 5(a)(2) Recommendations for Corrective Action.............................14-26\n\n                  Section 5(a)(3) Prior Significant Recommendations Not Yet Completed........ 44\n\n                  Section 5(a)(4) Matters Referred to Prosecutive Authorities............................. 39\n\n                  Section 5(a)(5) Information or Assistance Refused........................................ None\n\n                  Section 5(a)(6) Listing of Audit Reports............................................................... 40\n\n                  Section 5(a)(7) Summary of Significant Reports................................14-26, 33-37\n\n                  Section 5(a)(8) Audit Reports \xe2\x80\x94 Questioned Costs........................................... 42\n\n                  Section 5(a)(9) Audit Reports \xe2\x80\x94 Funds Put to Better Use................................. 43\n\n                  Section 5(a)(10) Audit Reports Issued Before Commencement of the\n                  \t                 Reporting Period for Which No Management\n                  \t                 Decision Has Been Made.................................................... None\n\n                  Section 5(a)(11) Significant Revised Management Decisions....................... None\n\n                  Section 5(a)(12) Significant Management Decisions With Which\n                  \t                 the OIG Disagreed............................................................... None\n\n\n\n\n46 | NRC OIG Semiannual Report to Congress\n\x0c\x0c\x0cNRC OIG\xe2\x80\x99s STRATEGIC GOALS\n1. S\n   \x07 trengthen NRC\xe2\x80\x99s efforts to protect public health and safety\n   and the environment.\n2. E\x07 nhance NRC\xe2\x80\x99s efforts to increase security in response to an\n    evolving threat environment.\n3. I\x07 ncrease the economy, efficiency, and effectiveness with\n    which NRC manages and exercises stewardship over its\n    resources.\n\x0c               REGU\n           EAR     LA\n         CL          T\n\n\n\n\n   NU\n\n\n\n\n                        OR\nSTATES\n\n\n\n\n                          YC\n                         OMMI S\n ED\n\n\n\n\n                         SI\n    IT\n\n\n\n\n                         O\n                    N\n         UN\n\n\n\n\nThe NRC OIG Hotline\nThe Hotline Program provides NRC employees, other Government employees, licensee/utility\nemployees, contractors and the public with a confidential means of reporting suspicious\nactivity concerning fraud, waste, abuse, and employee or management misconduct.\nMismanagement of agency programs or danger to public health and safety may also be\nreported. We do not attempt to identify persons contacting the Hotline.\n\nWhat should be reported:\n\xe2\x80\xa2 Contract and Procurement Irregularities        \xe2\x80\xa2 Abuse of Authority\n\xe2\x80\xa2 Conflicts of Interest                          \xe2\x80\xa2 Misuse of Government Credit Card\n\xe2\x80\xa2 Theft and Misuse of Property                   \xe2\x80\xa2 Time and Attendance Abuse\n\xe2\x80\xa2 Travel Fraud                                   \xe2\x80\xa2 Misuse of Information Technology Resources\n\xe2\x80\xa2 Misconduct                                     \xe2\x80\xa2 Program Mismanagement\n\n\nWays to Contact the OIG\n                                  Call:\n                                  OIG Hotline\n                                  1-800-233-3497\n                                  TDD: 1-800-270-2787\n                                  7:00 a.m. \xe2\x80\x93 4:00 p.m. (EST)\n                                  After hours, please leave a message\n\n\n                                  Submit:\n                                  On-Line Form\n                                  www.nrc.gov\n                                  Click on Inspector General\n                                  Click on OIG Hotline\n\n\n\n                                  Write:\n                                  U.S. Nuclear Regulatory Commission\n                                  Office of the Inspector General\n                                  Hotline Program, MS O5 E13\n                                  11555 Rockville Pike\n                                  Rockville, MD 20852-2738\n\n\nNUREG-1415, Vol. 22, No. 2\nMarch 2010\n\x0c'